Source: United Kingdom – Executive Government & Departments
World news story
UK and South Korea sign first of its kind agreement to support global infrastructure development and Ukraine’s reconstruction
The UK has signed a MoU with South Korea to jointly support Ukraine’s reconstruction and global infrastructure, boosting trade and sustainable development.
The United Kingdom of Great Britain and Northern Ireland (UK) has signed a Memorandum of Understanding (MoU) with the Republic of Korea (ROK).
The MoU enhances cooperation between the UK Department for Business and Trade (DBT) and the Korean Overseas Infrastructure & Urban Development Corporation (KIND) to work on Ukrainian reconstruction projects, as well as global infrastructure development in other markets.
This first of its kind agreement signals an exciting opportunity for British and South Korean businesses to make a difference in Ukraine, as well as demonstrate their expertise to the global market, boosting both countries’ economies while being a force for good.
This agreement was signed in the Old Admiralty Building in London on Thursday 22nd May 2025, between the UK Business and Trade Minister, Gareth Thomas MP, and the KIND CEO, Mr. Bok Hwan Kim. It is KIND’s inaugural MoU with DBT and the UK Government.
The MoU will promote new UK-South Korean business partnerships across third markets in the fields of sustainable transport, healthcare infrastructure, smart cities and urban development, clean energy, water and waste management, and sustainable infrastructure and related technologies. In Ukraine, this agreement will kickstart urgent repairs to critical national infrastructure, including housing, hospitals and power generators.
The partnership will advance the UK’s strong diplomatic and trade ties with the Republic of Korea as set out in the 2023 Downing Street Accord. It is also underpinned by £16.3 billion in bilateral trade and supported through the existing UK-ROK Free Trade Agreement, which the Government has committed to upgrading.
The agreement also builds on the UK’s landmark 100-Year Partnership with Ukraine, whereby reconstruction programmes form a key part of the £5bn the UK Government has provided to Ukraine in non-military support.
Business and Trade Minister Gareth Thomas said:
This agreement is the first of its kind and strengthens our relationship with the Republic of Korea.
As part of our Plan for Change it will secure vital opportunities for UK businesses to work with KIND and South Korean companies in overseas infrastructure and deepen our commitment to supporting Ukrainian reconstruction efforts.
KIND CEO, Bok Hwan KIM, said:
This Memorandum of Understanding with the UK government marks a historic moment that elevates infrastructure cooperation between Korea and the United Kingdom to a new level. KIND is delighted to contribute to Ukraine’s reconstruction and sustainable infrastructure development worldwide through this partnership. By combining our countries’ expertise and technological capabilities, we can make a tangible impact across various sectors, from critical infrastructure repairs to clean energy and smart cities. This collaboration goes beyond business opportunities—it represents our joint response to global challenges, and we are honoured to embark on this important journey alongside British companies.
Background
KIND was established in June 2018 by the Government of the Republic of Korea to support Korean companies for project planning, feasibility studies, project information and project bankability.
The UK works with partner countries to jointly deliver high-quality infrastructure projects in third markets through the Third Country Cooperation (TCC) model.
The TCC partnership builds on the complementary strengths of both countries: South Korea brings globally recognised contracting expertise and cost-effective project delivery; the UK offers advisory services, engineering, project finance (including through UK Export Finance), and high-tech solutions.
Ukraine is a priority TCC market for both sides, although the agreement will also allow cooperation with other third countries.
Early reconstruction is vital to Ukraine’s resilience and ultimate victory, and the UK government is committed to mobilising British businesses to support this effort – helping to rebuild critical infrastructure, drive investment, and ensure Ukraine emerges stronger in the face of Russian aggression.
According to the World Bank’s Fourth Rapid Damage and Needs Assessment (RDNA4), as of 31 December 2024, the total cost of reconstruction and recovery in Ukraine is $524 billion (€506 billion) over the next decade, which is approximately 2.8 times the estimated nominal GDP of Ukraine for 2024.
The RDNA4 finds that direct damage in Ukraine has now reached $176 billion (€170 billion), up from $152 billion (€138 billion) in the RDNA3 of February 2024, with housing, transport, energy, commerce and industry, and education as the most affected sectors.
We have developed strong relationships with Ukrainian ministers, local mayors, and officials to identify immediate reconstruction needs, as prioritised by the Government of Ukraine. By promoting the expertise and capabilities of UK businesses, we can ensure UK companies are well-positioned to maximise their contribution to Ukraine’s recovery and reconstruction.
Source: People’s Republic of China – State Council News
Real Madrid forward Endrick has suffered a muscle injury that is likely to rule him out of this summer’s FIFA Club World Cup.
“Following tests carried out today on our player Endrick by the Real Madrid Medical Services, he has been diagnosed with an injury to the conjoint tendon in his right hamstring,” informs the club.
Real Madrid’s Endrick (L) vies with Real Valladolid’s Selim Amallah during La Liga football match between Real Madrid and Real Valladolid in Madrid, Spain, Aug. 25, 2024. (Photo by Gustavo Valiente/Xinhua)
As usual, Real Madrid did not provide a timeline for the 18-year-old’s return. The club, which signed Endrick last summer, stated only that “his recovery will be assessed,” though the severity of the injury makes his participation in the Club World Cup highly unlikely.
Real Madrid is set to debut in the tournament on June 18 against Saudi Arabian side Al-Hilal, followed by matches against Mexican club Pachuca on June 22 and Austria’s RB Salzburg on June 27 in the group stage.
The injury brings a premature end to what has been a slightly disappointing debut season for Endrick, who has been behind Kylian Mbappe, Rodrygo and Vinicius Jr in the attacking pecking order.
Endrick scored just one goal in 22 La Liga appearances–19 of those as a substitute–but found more success in cup competitions, netting five times in the Copa del Rey and once in the Champions League.
Source: People’s Republic of China – State Council News
The World Anti-Doping Agency (WADA) has welcomed Qatar’s decision to provide additional funding to support the organization’s scientific research efforts.
The Ministry of Sports and Youth in Qatar will contribute an extra 1.5 million U.S. dollars, in addition to the country’s annual payment of more than 200,000 dollars to WADA, the agency announced on Wednesday.
“WADA is appreciative of the continued support of our partners within Qatar’s Ministry of Sports and Youth. The additional funding will make a significant impact on anti-doping research globally and within Qatar itself,” said WADA President Witold Banka.
“This is another indication of the strong support WADA receives from governments around the world, which believe in and trust us to deliver on our clean sport mission and understand the importance of cutting-edge scientific research to being ahead of those who seek to cheat the system.”
Earlier this month, Japan pledged an additional 196,000 dollars to support anti-doping capacity and capability development in Asia and Oceania. According to WADA, Japan has contributed roughly 2.5 million dollars in additional funding over the past two decades.
In the past 10 years, WADA has also received additional contributions from countries including Australia, Azerbaijan, Brazil, Canada, China, Denmark, Egypt, France, India, Kuwait, Poland, Saudi Arabia, Switzerland and the United States.
Banka stated earlier this year that WADA invests heavily in anti-doping research, allocating about 10 percent of its annual budget to scientific and social science initiatives. The agency has also called on its partners to support ongoing research efforts, including recent work focused on unintentional doping.
WADA has set a budget of more than 50 million dollars for 2025.
The United States, which failed to pay its 2024 annual fee of 3.62 million dollars–amounting to 14 percent of WADA’s budget–automatically loses its seat on the organization’s executive committee for the year.
“It is so important for athletes that WADA is properly resourced and that it has certainty around the funds it receives,” said Yuhan Tan, Belgium’s former badminton player and WADA Athlete Council representative on the Foundation Board.
“I call on all governments to fulfill their commitments and make their annual contributions to WADA in a predictable and timely fashion so the work upholding the World Anti-Doping Code and supporting athletes around the world can continue. Clearly, anti-doping is becoming more and more politicized, which must be avoided as it puts all athletes and the entire system at risk,” he commented when WADA released its budget plan earlier this year.
Paris, France, 22 May 2025– Greenpeace International is alarmed by the state of the UN Ocean Conference draft declaration which falls far short of expectations, with less than three weeks to the start in Nice, France. Rather than establishing the ambition shown by states to protect the oceans,the current text – set to be published as the final text of the upcoming conference – lacks the necessary ambition to address the crisis facing the oceans.
The third, and supposedly final, draft declaration fails to include the key measures needed to ensure the ocean recovers from decades of abuse and can withstand the impacts of global climate change.
Megan Randles, UNOC Head of Delegation for Greenpeace International, said: “We’re shocked after all the fine words from the organisers of this conference to find a declaration text that lacks the ambition needed to protect the oceans. The UN Ocean Conference was supposed to be the moment when governments turned the tide and showcased genuine progress. Instead, we are handed a weak political declaration with glaring omissions and weak language.
“The current text makes clear governments once again aren’t serious about protecting the oceans, and are satisfied to say fine words but not deliver real change at sea. It also fails to recognise the rights and leadership of coastal communities and Indigenous Peoples, who are on the frontlines of ocean stewardship. Unless this Declaration is drastically improved, the UN Ocean Conference will become a meaningless talking shop.”
The glaring omissions or regressions from earlier draft texts are:
Pitifully weak language on deep sea mining, with no reference to a moratorium on this dangerous industry, and the removal of any reference to applying the precautionary principle, which appeared in early drafts. [1]
The lack of any urgency on the Global Ocean Treaty ratification, or reflection that the governmental self-set deadline to reach 60 ratifications by this Conference is set to be missed. [2]
Failure to recognise that the Global Ocean Treaty is fundamental to deliver on the 30 by 30 target agreed under the Convention on Biological Diversity, as the Global Ocean Treaty is the only legal tool that can deliver this universally agreed and binding UN target on the high seas, which make ⅔ of the world’s ocean. [3]
The absence of a clear reference to the need to reduce plastic production. While there is a brief mention in the text on the development of an internationally binding instrument on plastic, it makes no mention of the need to reduce production.[4]
No mention of key issues such as addressing labour and human rights abuses in distant water fishing fleets or ensuring the protection of vulnerable marine ecosystems from the impact of destructive fishing practices – crucial issues that are fundamental to global marine conservation.
The removal of a “human rights-based” approach to protecting the oceans which undermines accountability in ocean governance. Otherwise, there is no guarantee that policies will protect the rights of those most dependent on — and essential to — ocean stewardship. This weakens the foundation for just, inclusive, and effective marine protection, and must be urgently addressed.[5]
No concrete commitments to additional financial resources.
From aboard the Rainbow Warrior in the Tasman Sea, Georgia Whitaker, Senior Oceans Campaigner at Greenpeace Australia Pacific, said:“The Australian government has the opportunity to step up and showcase true global leadership on ocean protection at the UN Oceans Conference. The eyes of the world are now on the re-elected Albanese government that signed the Global Ocean Treaty in 2023, but has been dragging its feet, yet to bring its promise into law. We are calling on the Australian government to ratify the Global Ocean Treaty in the first 100 days of government, and propose ocean sanctuaries in the Lord Howe Rise and South Tasman Sea between Australia and Aotearoa-New Zealand, to help protect precious marine life being decimated by brutal industrial fishing.”
A new analysis released this week by Greenpeace Australia Pacific has revealed the shocking extent of ocean destruction and shark bycatch in the Pacific Ocean in lieu of protection possible under the treaty.
“Australia’s approach to deep sea mining will be watched closely by the rest of the world. The Albanese government must join the 33 other countries, including some of our Pacific neighbours, and back a moratorium on deep sea mining to protect our precious blue backyard,”Whitaker added.
The UN Ocean Conference follows the world’s first deep sea mining application for the international seabed, recently submitted by The Metals Company to the US government, as opposed to the UN regulator, amid high political controversy. This unilateral action undermines the UN, potentially is in violation of international law, and should be condemned by all States at the UN Ocean Conference.
As of today, 21 countries have ratified the Global Ocean Treaty, and 33 countries support a moratorium on deep sea mining.
The United Nations Oceans Conference will be held in Nice, France from 9 – 13 June.
The draft political declaration is available upon request.
Greenpeace Australia Pacific spokespeople will be available from Nice, Australia and from the Rainbow Warrior in the Tasman Sea.
[1] The Zero Draft of the Political Declaration “emphasized the importance of a precautionary approach” in relation to seabed mining. The reference has been deleted from the final draft.
[2] The Treaty will only enter into force 120 days after 60 countries have ratified. The UN Secretary-General is required to convene the first meeting of the COP to the Agreement no later than one year after its entry into force. France had targeted for the Global Ocean Treaty to enter into force by the conference.
[3] Paragraph 21 of the Zero Draft of the Political Declaration stated “We recognise the important role the Agreement will play in achieving 30×30.” That reference has been removed from the final draft.
[4] The final version of the Political Declaration deletes critical mentions to the urgency of addressing plastics pollution or its human health impacts, which were present in earlier drafts. Astrid Puentes Riaño, Special Rapporteur on the human right to a clean, healthy and sustainable environment, stated on May 20th that “Human rights must be the core of ocean governance and of every ocean pledge”
[5] Paragraph 2 of the second version of the Draft Political Declaration stated that “We must act with urgency to face this challenge with bold, ambitious, human rights-based, just and transformative action.” The reference to human-right based actions has been removed.
Source: People’s Republic of China – State Council News
Aerial photo taken on March 14, 2021 shows a farmer working in a pearl-cultivation area in Deqing County of Huzhou City, east China’s Zhejiang Province. [Photo/Xinhua]
Three new sites in China were officially recognized by the United Nations Food and Agriculture Organization (FAO) as Globally Important Agricultural Heritage Systems (GIAHS) on Wednesday.
The newly-designated sites are the Deqing Freshwater Pearl Mussels Composite Fishery System in Zhejiang Province, the Fuding White Tea Culture System in Fujian Province, and the Gaolan Shichuan Ancient Pear Orchard System in Gansu Province. With the latest inclusions, China continues to lead globally in the number of GIAHS sites, now totaling 25
The 800-year-old Deqing system, which is focused on shelled pearl mussel cultivation, integrates aquaculture, agriculture, and traditional craftsmanship. It produces pearls, rice, silk, and other goods. This circular system offers valuable global insights into sustainable farming, ecological balance, and rural development, the FAO said.
An aerial drone photo taken on May 7, 2024 shows workers picking tea leaves at a tea garden in Xingcun Town in Wuyishan City, southeast China’s Fujian Province. [Photo/Xinhua]
Meanwhile, the centuries-old Fuding White Tea Culture System combines ecological knowledge with artisanal practices. It integrates tea gardens with forests and crops, preserving 18 varieties of tea trees. In addition to tea, the system also supports more than 120 other agricultural species, contributing to biodiversity and food system resilience.
The Gaolan Shichuan Ancient Pear Orchard System, located along the Yellow River in the arid Loess Plateau, has a 600-year history of dryland agroforestry. It showcases techniques adapted to water scarcity and erosion-prone soils, supporting agrobiodiversity, food security, and rural livelihoods. The system produces over 2 million kg of pears annually, which are used to produce local specialities such as dried pears.
Photo taken on April 13, 2020 shows blooming pear trees in Shichuan Township of Gaolan County, northwest China’s Gansu Province. [Photo/Xinhua]
“Agricultural heritage systems are living examples of harmony between people and nature that have thrived and evolved through generations and have much to teach us as we adapt to an uncertain future,” said Kaveh Zahedi, director of the Office of Climate Change, Biodiversity and Environment at FAO.
Other newly-recognized GIAHS sites beyond China include the shade-grown erva mate system in Parana, Brazil; the metepantle ancestral agricultural system in Tlaxcala, Mexico; and the agricultural systems in jable and volcanic sands on Spain’s Lanzarote Island.
With the latest additions, the FAO’s global agricultural heritage network now comprises 95 systems across 28 countries.
Source: People’s Republic of China – State Council News
The total output and sales of China’s sporting goods manufacturing industry exceeded 2 trillion yuan (about 277.5 billion US dollars) for the first time in 2023, marking a year-on-year growth of 2.39%, according to an industry report.
The China Sporting Goods Industry Development Report 2024, released Wednesday at the 12th China Sports Industry Conference, found that the sector continues to recover and demonstrates strong resilience.
The added value of China’s sporting goods manufacturing industry grew by 7.3% year-on-year in 2022 and by 3.96% in 2023, outperforming many segments of the broader manufacturing industry, according to the report.
Exports also rebounded in 2024, increasing 6.77% year-on-year to about 28.4 billion dollars. Shipments to North America and Western Europe remained strong, while emerging markets such as Vietnam, Thailand, Mexico, Brazil, and Poland showed significant potential.
Domestic demand for sporting goods also showed strong momentum. The report cited transaction data from four of China’s leading e-commerce platforms – JD.com, Taobao, Tmall, and Douyin – indicating that online sporting goods sales reached 333.7 billion yuan (about 46.3 billion dollars) in 2024, a year-on-year increase of 22.59%. Sales of domestic and foreign brands were reported to be roughly equal.
While the construction of new public sports facilities has slowed, demand for upgrades and higher-quality venues is rising. As of 2024, China has more than 4.8 million sports venues, covering a total area of 4.23 billion square meters. The per capita sports venue area now stands at 3.0 square meters.
The report also identified several trends reshaping the industry: sporting events are boosting the penetration of sporting goods; products are becoming increasingly smart; and evolving consumer demands are driving diversification in product offerings.
Despite these positive indicators, the report warned of growing external market pressures. In response, many companies are accelerating efforts to expand overseas production in order to mitigate export risks.
For over a decade, Samsung Electronics’ Galaxy S series has evolved not only in performance and camera technology, but also durability — earning a reputation for reliability in the real world. Recently, that reputation was dramatically put to the test by accident when a Galaxy S23 Ultra spent hours submerged in a freezing Arctic river — and emerged just fine, without a single glitch.
Mikael Krekula, a professional wilderness guide based in Kiruna, Sweden, was out on the frozen Kalix River testing sonar equipment when his Galaxy S23 Ultra slipped from his glove and fell into an ice fishing hole. The device plunged into the freezing water, settling roughly three meters below the surface.
“At that moment, I felt like I had donated my entire digital life to the river — photos, ID, credit cards and all my apps gone in an instant,” Mikael said. “It wasn’t just a phone to me. It was my work companion, essential in everything I do.”
Despite the extreme conditions, Mikael decided to attempt a recovery. Over the course of five hours, he drilled eight surrounding ice holes to get a better angle to the phone and used a series of improvised tools — birch branches, a shovel and a plastic bag on a stick — to try and reach the device.
“I could see my phone through the ice. It wasn’t lost completely — just barely out of reach,” he explained. “Eventually, I drove home, grabbed a summer fishing net, tied the net to a birch rod and came back — and within five minutes, it was in my hands.”
Remarkably, the Galaxy S23 Ultra powered on immediately, displaying three missed calls. There was no need for a reboot or drying procedures.
“We let it sit overnight in the cabin just to be safe, but the next day it was still working perfectly,” Mikael added. “And it continues to function just like it did before the incident.”
Technology That Keeps Up With the Wild
As a wilderness guide leading tours across the Arctic Circle, Mikael relies heavily on mobile technology. His Galaxy S23 Ultra supports navigation, weather updates, language translation, photography, and communication — often in sub-zero temperatures and remote locations.
“When you’re guiding guests under the northern lights or across frozen terrain, your tech can’t fail,” he said. “The Galaxy S23 Ultra also delivers outstanding night photography, which is essential for capturing this region’s unique light conditions.”
Mikael now includes a hand net in his winter packing list — and grips his phone more tightly. “This was definitely a learning experience,” he remarked. “But it also showed me that the phone can handle a lot more than I expected.”
Real-World Durability, Backed by Advanced Engineering
The Galaxy S23 Ultra is rated IP68,1 offering water resistance in up to 1.5 meters of freshwater for 30 minutes, as well as protection against dust, dirt and sand. The circumstances surrounding Mikael’s device exceeded these rated conditions, illustrating the durability Samsung builds into its flagship devices.
Today, Mikael continues to guide guests across Sweden’s far north with his Galaxy S23 Ultra close at hand. From urban jungles to frozen wilderness, the Galaxy S series are built to last wherever they are and Mikael’s experience is just the latest proof of that legacy in action — tested by the Arctic, trusted by the user and tougher than the Kalix River.
To learn more about Mikael’s guided wilderness experiences, visit www.ecotours68n.se. For more information about the Galaxy S23 Ultra, visit www.samsung.com.
1 The Samsung Galaxy S23 Ultra has an IP68 rating based on laboratory test conditions. Water resistance is effective in up to 1.5 meters of freshwater for up to 30 minutes. It is not suitable for beach or pool use. Water or dust damage is not covered by warranty. Performance beyond rated conditions may vary and is not guaranteed.
A West Papua independence leader says escalating violence is forcing indigenous Papuans to flee their ancestral lands.
It comes as the Indonesian military claims 18 members of the West Papua National Liberation Army (TPNPB) were killed in an hour-long operation in Intan Jaya on May 14.
In a statement, reported by Kompas, Indonesia’s military claimed its presence was “not to intimidate the people” but to protect them from violence.
“We will not allow the people of Papua to live in fear in their own land,” it said.
Indonesia’s military said it seized firearms, ammunition, bows and arrows. They also took Morning Star flags — used as a symbol for West Papuan independence — and communication equipment.
The United Liberation Movement for West Papua (ULMWP) interim president Benny Wenda, who lives in exile in the United Kingdom, told RNZ Pacific that seven villages in Ilaga, Puncak Regency in Central Papua were now being attacked.
“The current military escalation in West Papua has now been building for months. Initially targeting Intan Jaya, the Indonesian military have since broadened their attacks into other highlands regencies, including Puncak,” he said.
Women, children forced to leave Wenda said women and children were being forced to leave their villages because of escalating conflict, often from drone attacks or airstrikes.
ULMWP interim president Benny Wenda . . . “Indonesians look at us as primitive and they look at us as subhuman.” Image: RNZ Pacific/Kelvin Anthony
Earlier this month, ULMWP claimed one civilian and another was seriously injured after being shot at from a helicopter.
Last week, ULMWP shared a video of a group of indigenous Papuans walking through mountains holding an Indonesian flag, which Wenda said was a symbol of surrender.
“They look at us as primitive and they look at us as subhuman,” Wenda said.
He said the increased military presence was driven by resources.
President Prabowo Subianto’s administration has a goal to be able to feed Indonesia’s population without imports as early as 2028.
Video rejects Indnesian plan A video statement from tribes in Mappi regency in South Papua from about a month ago, translated to English, said they rejected Indonesia’s food project and asked companies to leave.
In the video, about a dozen Papuans stood while one said the clans in the region had existed on customary land for generations and that companies had surveyed land without consent.
“We firmly ask the local government, the regent, Mappi Regency to immediately review the permits and revoke the company’s permits,” the speaker said.
Wenda said the West Papua National Liberation Army (TPNPB) had also grown.
But he said many of the TPNPB were using bow and arrows against modern weapons.
“I call them home guard because there’s nowhere to go.”
This article is republished under a community partnership agreement with RNZ.
Source: People’s Republic of China – State Council News
Real Madrid’s England midfielder, Jude Bellingham looks likely to miss the first six weeks of the 2025-26 La Liga season due to an operation to cure a longstanding shoulder injury.
Jude Bellingham (L) of Real Madrid vies with Clement Lenglet of Atletico de Madrid during the UEFA Champions League Round of 16 second leg football match between Atletico de Madrid and Real Madrid in Madrid, Spain, on March 12, 2025. (Photo by Gustavo Valiente/Xinhua)
The Athletic and the BBC both reported that the 21-year-old will have the operation after the Club World Cup which will be played in the United States in June and July and where his side is the one of the favorites.
Bellingham has struggled with his shoulder problem since 2023 when he injured it in a La Liga match with Rayo Vallecano and has had to play with a strapping to prevent further damage.
The midfielder scored only 14 goals in 52 games this seaon, compared with 23 goals in 43 appearances in his debut campaign with the Spanish giant.
If Bellingham has the operation in the middle of July, he will miss the pre-season and around six weeks of the next La Liga campaign.
Source: People’s Republic of China – State Council News
BEIJING, May 21 — China’s visa-exemption policies have boosted inbound travel. Since the start of this year, “China Travel” has kept trending. On Wednesday, the Consular Department of the Ministry of Foreign Affairs of China released a list of frequently asked questions about these policies.
Q: Who does the visa waiver apply to?
A: Nationals of 43 countries including Brunei, France, Germany, Italy, Spain, Holland, Malaysia, Switzerland, Ireland, Hungary, Austria, Belgium, Luxembourg, New Zealand, Australia, Poland, Portugal, Greece, Cyprus, Slovenia, Slovakia, Norway, Finland, Denmark, Iceland, Andorra, Monaco, Liechtenstein, the Republic of Korea, Bulgaria, Romania, Croatia, Montenegro, North Macedonia, Malta, Estonia, Latvia, Japan, Brazil, Argentina, Chile, Peru and Uruguay (Brazil, Argentina, Chile, Peru and Uruguay take effect from June 1, 2025) holding valid ordinary passports can be exempted from visa requirement if entering China for the purpose of business, tourism, family or friend visits, exchange and transit. They can stay in China for no more than 30 days without a visa.
Q: Do foreign nationals eligible for a visa waiver need to make declarations to Chinese embassies and consulates in advance?
A: Foreign nationals eligible for a visa waiver do not need to declare in advance to Chinese embassies and consulates before entering China without a visa.
Q: Will the purpose of the intended stay in China be examined by Chinese border inspection authorities when entering China? How will it be done? Are other documents needed for entering China in addition to a passport?
A: Foreign nationals traveling for purposes of business, tourism, family or friend visits, exchange and transit that meet the visa waiver requirements, can be allowed to enter China without a visa upon examination and approval in accordance with the law by border inspection authorities. Entry into China shall be denied by border inspection authorities in accordance with the law to foreign nationals who travel for purposes that do not meet the visa waiver requirements or who are not allowed to enter China in accordance with laws and regulations. It is recommended to take documents such as invitation letters, air tickets and reservations of accommodation as proof corresponding to the purposes of entry into China. Visa waiver does not apply to those who come to China for work, study, journalistic or similar purposes.
Q: Is there any additional requirement for minors eligible for a visa waiver?
A: Visa waiver requirements for minors are the same as for adults.
Q: Are there any requirements regarding the type and validity of entry documents?
A: For foreign nationals, an ordinary passport valid for at least the duration of the intended stay in China is needed. Holders of travel documents or temporary or emergency documents other than ordinary passports are not allowed to enter China without a visa.
Q: How to calculate the duration of stay of 30 days?
A: The duration of stay without a visa is calculated from the day after entry and lasts continuously for 30 calendar days.
Q: Does the visa waiver apply to foreign nationals who travel from a third country?
A: Eligible foreign nationals can depart for China from any country or region.
Q: Does the visa waiver apply to foreign nationals who travel via modes of transport other than aviation?
A: The visa waiver applies to all travelers coming to China through any sea, road and airport open to foreign nationals — except where laws, regulations or bilateral arrangements specify otherwise. For arrivals in China by way of private transport, certain procedures for entry and exit of means of transport shall be processed in accordance with relevant laws and regulations of China.
Q: Does the visa waiver apply to tour groups?
A: The visa waiver applies to eligible foreign nationals either in tour groups or as individuals.
Q: If the length of intended stay exceeds 30 days, can the visa waiver be extended?
A: Foreign nationals planning to stay in China for over 30 days shall apply for visas corresponding to their purposes of stay in advance at Chinese embassies or consulates. If they have to stay longer than 30 days for appropriate and sufficient reasons after entering China without a visa, they shall apply for stay permits to the exit and entry administrations of public security authorities of China.
Q: Does the visa waiver allow multiple entries? Is there any requirement on the length of intervals between each entry, or any restriction on the number of entries without a visa or total days of stay?
A: Foreign nationals eligible for the visa waiver can enter China without a visa multiple times. Currently, there is no restriction on the number of entries or total days of stay, but those who enjoy visa-free travel to China shall not engage in activities inconsistent with their purpose of entry.
Source: People’s Republic of China – State Council News
Top-seeded Chinese Sun Yingsha defeated France’s Charlotte Lutz in straight sets to reach the women’s singles last 16 at the World Table Tennis Championships on Wednesday.
Sun Yingsha serves during the women’s singles round of 32 match between Sun Yingsha of China and Charlotte Lutz of France at ITTF World Table Tennis Championships Finals Doha 2025 in Doha, Qatar, May 21, 2025. (Xinhua/Xiao Yijiu)
“Go go Shasha!” rooted for by a loud crowd, the 24-year-old superstar clinched an 11-4, 11-6, 11-6, 11-1 victory over the 20-year-old and world No. 92.
“This was our first meeting, and I had studied her match videos,” said Sun after a 29-minute match. “She is young and promising.”
Sun will next play against South Korea’s Shin Yu-bin, who advanced over Italy’s Gaia Monfardini in a score of 11-5, 8-11, 11-9, 14-12, 16-14.
Source: People’s Republic of China – State Council News
FC Barcelona announced on Wednesday that coach Hansi Flick has agreed to extend his contract with the club until the end of June 2027.
“The German coach will sign on Wednesday the extension of his contract until 2027 – for one more season – The act will be held in the offices at the Camp Nou,” confirmed a statement from the club.
Hansi Flick gestures on the touchline during the Group E match between Germany and Japan at the 2022 FIFA World Cup at Khalifa International Stadium in Doha, Qatar, Nov. 23, 2022. (Xinhua/Cao Can)
The extension on Flick’s original deal, which was due to expire in 2026, comes after the former Bayern Munich and German national team boss has led Barca to this season’s La Liga title, the Copa del Rey and the Spanish Supercup in his first season in charge.
Flick’s only disappointment was a narrow defeat after extra time to Inter Milan in the semifinals of the Champions League.
Source: People’s Republic of China – State Council News
Manchester City coach Pep Guardiola has urged the club to reduce the size of the first team squad or he will consider leaving for the good of his “soul” as he hates to leave players in the stands.
Guardiola made the remarks after Tuesday night’s 3-1 win at home to Bournemouth thanks to goals from Omar Marmoush, Bernardo Silva and Nico Gonzalez. The win lifted City to third in the Premier League and it needs just a point from next weekend’s visit to play Fulham to assure a place in next season’s Champions League.
Pep Guardiola looks on during Manchester City’s 2023 UEFA Super Cup against Sevilla in Piraeus, Greece, Aug. 16, 2023. (Photo by Panagiotis Moschandreou/Xinhua)
Tuesday’s win came with players such as James McAtee, Rico Lewis and Abdukodir Khusanov, Savinho and Claudio Echeverri all watching from the stands. Some could say that shows the depth of talent available for Guardiola, but the coach clearly views things differently.
“I said to the club I don’t want that; I don’t want to leave five or six players in the freezer. I don’t want that. I will quit. Make a shorter squad, I will stay.”
“It’s impossible for my soul to have my players in the tribune – that they cannot play,” he said.
“As a manager I cannot train 24 players and every time I select, I have to have four, five, six stay in Manchester at home because they cannot play. This is not going to happen. I said to the club, I don’t want that,” he continued.
Tuesday night saw Spain international midfielder Rodri return after missing nearly all of the season after a knee operation, and Guardiola admitted that injuries to defenders such as Ruben Dias and John Stones had made things difficult this season.
“It was so difficult but next season it cannot be like that,” insisted the coach.
Projects to unlock economic growth and tackle poverty.
Projects across Scotland will benefit from Scottish Government investment to help regenerate communities and drive economic growth.
More than £21.5 million from two Scottish Government funds will bring 24 disused or derelict sites and buildings into use, creating more than 160 jobs and support nearly 900 training opportunities.
Deputy First Minister Kate Forbes confirmed the 2025-26 allocations from the Regeneration Capital Grant Fund (RCGF) and Vacant and Derelict Land Investment Programme (VDLIP) during a visit to Powderhall in north Edinburgh.
City of Edinburgh Council will receive £1.4 million for remedial works at the former waste disposal site, paving the way for a housing-led regeneration project that will provide 259 homes, including affordable housing.
Other initiatives being supported include:
reviving a slate quarry in Cullipool owned and operated by the Isle of Luing Community Trust
converting a former tram depot in Dundee into a new transport museum
redeveloping a former derelict school into energy efficient housing units in Borrodale on the Isle of Skye
creating film production suites and a training centre at a former glue factory in Glasgow
extending Lochvale House community centre in Dumfries to include a café and soft play area
The announcement coincides with a call for expressions of interest in 2026-27 funding to support regeneration projects in disadvantaged communities. As set out in the 2025 Programme for Government, future Scottish Government support for regeneration projects will be channelled through one national fund – the Regeneration Capital Grant Fund – to streamline the application and delivery process.
The Deputy First Minister said:
“This funding will help to transform derelict sites the length and breadth of Scotland, creating homes, jobs and facilities that drive economic growth, tackle poverty and help support and growing thriving communities.
“This funding forms part of a wider £62.15 million investment by the Scottish Government towards regeneration projects in 2025-26. This will help to revitalise green spaces, town centres and derelict sites to benefit people across Scotland.
“The 2025 Programme for Government stets out our renewed commitment to supporting regeneration projects across the country with one streamlined fund delivering this vision from next year.”
The RCGF is delivered in partnership with COSLA.
COSLA’s Spokesperson for Environment and Economy, Councillor Gail Macgregor, said:
“Today’s announcement sees the return of invaluable tools and resources for local authorities to help deliver on the regeneration aspirations of the communities which they represent.
“The diversity of successful projects on show demonstrates how localised approaches can deliver benefits across the country and showcase the best of partnership between local authorities and our communities to deliver economic and social renewal.
“We look forward to continuing to work with Scottish Government on regeneration in the months to come.”
City of Edinburgh Council’s Housing, Homelessness and Fair Work Convener Lezley Marion Cameron said:
“Our development plans at Powderhall are breathing new life into an excellently located, long unused industrial site, and are set to deliver hundreds of much-needed new homes and work and community spaces too.
“The transformation of Powderhall is already well underway with the restoration of the former stable block, which retains unique heritage features of the site’s former use.
“Regenerating a historic, brownfield site like Powderhall is complex, challenging, and costly therefore I warmly welcome this Scottish Government investment.”
Background
Regeneration Projects supported through the RCGF and VDLIP fund in 2025/2026:
Fund
Organisation
Project
Award
RCGF
Angus Council
Arbroath Courthouse Community Trust
£2,138,985
RCGF
Argyll & Bute Council
Fyne Futures Local Food Production and Training Centre
£250,000
RCGF
Argyll & Bute Council
Isle of Luing Community Owned Slate Quarry
£1,747,936
RCGF
City of Edinburgh Council
Spartans Youth Work and Education Building
RCGF
Clyde Gateway
Baltic Street Play
£850,000
RCGF
Dumfries and Galloway Council
Let’s Get Sporty – Lochvale House
£1,572,370
RCGF
Dundee City Council
Dundee Museum of Transport – A Catalyst for Regeneration of Stobswell
TORONTO, May 21, 2025 (GLOBE NEWSWIRE) — Greenhawk Resources Inc. (“Greenhawk” or the “Company“) (CSE: GRHK) announces that it has executed an arms-length Option and Joint Venture Agreement (the “Option Agreement”) with 1531323 BC Ltd. (“1531323 BC”) to advance the exploration and development of Greenhawk’s Greenland properties, which include the Storø and Qingaaq mineral exploration licenses (the “Properties”).
Under the Option Agreement, 1531323 BC is granted an option to acquire an 80% interest in the Properties in exchange for: (a) an upfront payment of $100,000, which shall be paid within 90 days, and (b) incurring $1,400,000 in spending at the Properties within 24 months according to the following schedule.
Payment Period
Minimum Expenditures
Within 6 months of the Closing Date
Minimum of $450,000
Within 12 months of the Closing Date
Minimum of $350,000
Within 18 months of the Closing Date
Minimum of $300,000
Within 24 months of the Closing Date
Minimum of $300,000
Total:
Minimum of $1,400,000
1531323 BC will be responsible for the operations of the Properties while the Option Agreement is in effect. If 1531323 BC satisfies the expenditure requirement at the Properties, the Company and 1531323 BC will establish a joint venture for the exploration and development of the Properties.
The Storø project (“Storø”) is a 12 km² license which hosts an inferred mineral resource estimated in 2021 by SRK Consulting (Sweden) AB at 885,000 tonnes, grading 3.4 g/t Au and totaling 95,000 oz of gold Mineral Resources. The Mineral Resource has a cut-off grade of 0.8 g/t Au for material located within the conceptual open-pit shell and 2.5 g/t Au for underground Mineral Resources located below the pit shell. Since 1995, a total of 102 drillholes totaling 17,371 m have been drilled into the known mineralized zones at Storø. Storø is surrounded by the Qingaaq license (“Qingaaq”), which covers some 540 km².
Martin Pittuck, CEng, FGS, MIMMM, a “Qualified Person” for the purpose of National Instrument 43-101, has reviewed and approved the scientific and technical information included in this news release.
1531323 BC intends to enter into a management services contract with the Company to provide advice in respect of the Properties.
The Company continues to actively pursue the acquisition of other properties and opportunities in the mineral exploration and resources sector.
The Company is also announcing that it has cancelled an aggregate of 8,600,000 stock options. The subject stock options are comprised of 4,600,000 stock options with an exercise price of $0.27 per share and an expiry date of October 20, 2025, and 4,000,000 stock options with an exercise price of $0.20 per share and an expiry date of June 24, 2026.
AboutGreenhawkResourcesInc.
Greenhawk is a Canadian resources exploration and development company. Greenhawk owns a 100% legal and beneficial interest in two mineral exploration licenses and one prospecting license in Greenland known as the Storø Gold Project. Additional Information on Greenhawk can be obtained from SEDAR+ at sedarplus.ca. Greenhawk is listed on the Canadian Securities Exchange (www.thecse.com) (CSE: GRHK).
Issued on behalf of the Board of Directors of Greenhawk Resources Inc. For information, please contact:
David Jagodzinski, Director Corporate Development Phone: +1 (416) 504-2020 Email: info@grhk.ca
NEITHER THE CANADIAN SECURITIES EXCHANGE NOR ITS REGULATIONS SERVICES PROVIDER HAVE REVIEWED OR ACCEPT RESPONSIBILITY FOR THE ADEQUACY OR ACCURACY OF THIS RELEASE
CautionaryNoteRegardingForward-LookingInformation
Certain statements in this press release may contain forward looking information which can be identified by the use of forward-looking terminology such as “believes”, “expects”, “may”, “desires”, “will”, “should”, “projects”, “estimates”, “contemplates”, “anticipates”, “intends”, or any negative such as “does not believe” or other variations thereof or comparable terminology. No assurance can be given that potential future results or circumstances described in the forward-looking statements will be achieved or will occur. By their nature, these forward-looking statements necessarily involve risks and uncertainties that could cause actual results to significantly differ from those contemplated by these forward-looking statements including, but not limited to: the completion of the Transaction, including the receipt of the upfront payment, 1531323 BC making the requisite expenditures on the Properties to exercise the option on the Properties, the ability to obtain requisite corporate and regulatory approvals, including that of the CSE, the operator obtaining requisite permits and authorizations to allow for exploration on the Properties. Such statements reflect the view of the Company with respect to future events and are based on information currently available to the Company and on assumptions, which it considers reasonable. Management cautions readers that the assumptions relative to the future events, several of which are beyond management’s control, could prove to be incorrect, given that they are subject to certain risk and uncertainties, and that actual results may differ materially from those projected. Management disclaims any intention or obligation to update or revise any forward-looking statements whether as a result of new information, future events or otherwise, except as required by applicable securities laws. The reader is cautioned not to place undue reliance on forward-looking information.
Source: United Kingdom – Executive Government & Departments
An online survey published in Psychiatry Research looks at the antidepressants withdrawal effects.
(comment on the subject more generally, in case useful) A spokesperson for the Royal College of Psychiatrists, said:
“Treatment options will depend on a patient’s type of depression, how long it has lasted, and whether they have experienced depression in the past.
“Medication is just one of the recommended treatment options for people with anxiety and depressive conditions. We know that people greatly benefit from holistic treatment from specialist practitioners who are trained in the biological, social and psychological determinants of mental illness.
“Antidepressants are a clinically recommended treatment, and they are effective at reducing the symptoms of moderate to severe depression, particularly when used in combination with talking therapies.
“Long-term use of antidepressants should only be considered for people that have recurrent depression and repeated, severe relapses after stopping antidepressants. For those patients, the beneficial effects of continuous use of antidepressants are more likely to balance the potential risks. However, this should be reviewed regularly, and multiple attempts should be made to stop taking these medications after prolonged periods of established wellbeing.
“Most people will be able to stop taking antidepressants without significant difficulty by reducing the dose (known as ‘tapering’) over a few weeks or months. Some people can experience withdrawal symptoms that last longer and may be more severe, particularly when the medication is stopped suddenly.
“Ultimately, the use of antidepressants, should always be a shared decision between a patient and their doctor based on clinical need and the preferences of the patient. We would advise all those thinking of stopping their antidepressants to talk to their doctor first, as these medications should not be stopped abruptly.”
Dr Gemma Lewis, Associate Professor of Psychiatric Epidemiology and Wellcome Trust and Royal Society Sir Henry Dale Fellow, UCL, said:
“This type of study is highly susceptible to bias and the findings should not be used to inform practice. The number of people included in the study was very small, compared to the number of people who use this NHS service. The study was an online survey done at one point in time. These types of studies are at a much higher risk of bias than studies which use larger samples, follow people over time, and have a control group. It was also impossible for the authors to distinguish withdrawal symptoms from symptoms of depression and anxiety.”
Prof Anthony Kendrick, Professor of Primary Care, University of Southampton, said:
“The percentage of people reporting severe withdrawal symptoms of 15% is likely to be an overestimate, as the response rate to the survey was only 18%, and it was retrospective, so people who have had memorable withdrawal problems in the past would be more likely to respond. Also, giving people a list of symptoms to choose from elicits a greater number than asking them to report symptoms themselves, spontaneously.
“The recent systematic review by Henssler et al in Lancet Psychiatry looked at prospective studies and included many which asked for spontaneously reported symptoms. However, the proportion of 3% reporting severe withdrawal symptoms found in that study is likely to be an underestimate as it included many short-term studies of only around 6-12 weeks of antidepressant use.
“Overall we might conclude that the evidence so far indicates that a minority of people experience severe withdrawal symptoms – somewhere between 3% and 15%.”
References
Henssler, J., Schmidt, Y., Schmidt, U., Schwarzer, G., Bschor, T., Baethge, C., 2024. Incidence of antidepressant discontinuation symptoms: a systematic review and meta-analysis. Lancet Psychiatry 11, 526–535. https://doi.org/10.1016/S2215-0366(24)00133-0
‘Antidepressants withdrawal effects and duration of use: a survey of patients enrolled in primary care psychotherapy services’ by Mark Horowitz et al. was published in Psychiatry Research at 23:59 UK time on Wednesday 21 May.
Declared interests
Dr Gemma Lewis: No COIs.
Prof Anthony Kendrick:I have received funding from the NIHR for the REDUCE programme on internet and telephone support for discontinuing antidepressants, and I was a member of the guideline committee for the NICE guideline on depression in adults which made recommendations on managing antidepressant discontinuation.
Defendant Admits to Concealing 50% Ownership of $7B Defense Contracting Business to Evade Taxes
WASHINGTON – Douglas Edelman, 73, a former defense contractor, pleaded guilty today to tax crimes related to a scheme to defraud the United States and evade taxes on income he earned from his contracts with the U.S. Department of Defense.
The sentence was announced U.S. Attorney Jeanine Ferris Pirro, Acting Deputy Assistant Attorney General Karen E. Kelly of the Justice Department’s Tax Division, and Special Agent in Charge Kareem A. Carter with IRS-Criminal Investigation (IRS-CI) Washington, D.C. Field Office.
Edelman pleaded guilty to 10 felony counts: conspiracy to defraud the United States, seven counts of tax evasion, and two counts of making a false statement. U.S. District Court Judge Colleen Kollar-Kotelly scheduled a hearing on issues related to sentencing on Nov. 17, 2026. Trial on the remaining counts of the indictment will be in 2026.
According to court documents and statements made in court, Edelman founded and owned 50% of Mina Corp. and Red Star Enterprises (Mina/Red Star), a defense contracting business that received more than $7 billion from contracts with the U.S. Department of Defense to provide jet fuel in the United States’ post-9/11 military efforts in Afghanistan and the Middle East.
Working with others, Edelman engaged in a lengthy scheme to hide his Mina/Red Star profits to evade U.S. taxes, including by concealing his income in undisclosed foreign bank accounts, creating false documents and making false statements that one of his co-conspirators — a French citizen residing abroad and without U.S. tax obligations — founded and owned Mina/Red Star.
For example, when the company became profitable in 2005, Edelman began taking distributions which he deposited into Swiss bank accounts, primarily at Credit Suisse, in the name of other companies he owned. In 2008, Credit Suisse informed Edelman that he had to either close his accounts or disclose them to U.S. authorities. Rather than come into compliance with his tax and reporting obligations, Edelman closed his accounts and opened new ones at Bank Julius Baer in Singapore in the name of a nominee entity, the beneficiaries of which were purportedly Edelman’s daughters. He then directed the subject income he earned from Mina/Red Star to those bank accounts.
In 2010 the U.S. House of Representatives Committee on Oversight and Government Reform’s Subcommittee on National Security and Foreign Affairs began investigating allegations of corruption in connection with Mina/Red Star’s contracts with the Department of Defense. As part of this inquiry, the subcommittee became interested in the identity of Mina/Red Star’s owners. At this time, Edelman had not filed U.S. tax returns to report the millions of dollars he had earned from Mina/Red Star and had not paid U.S. taxes on his income.
Rather than disclose his ownership, Edelman caused his attorneys to tell Congress a false story that a French co-conspirator who had no U.S. tax or reporting obligations founded and co-owed Mina/Red Star with another individual. To corroborate the false story, Edelman and a co-conspirator caused false and backdated paperwork to be created.
To continue the scheme, Edelman conveyed the false story about Mina/Red Star’s ownership to other arms of the U.S. government, including to the Department of Defense during contract negotiations in 2010 and 2011, to the IRS in a 2016 application to the Offshore Voluntary Disclosure Program, and to the Justice Department in a 2018 presentation.
In conjunction with his 2016 application to the IRS’s Voluntary Disclosure Program, Edelman filed false tax returns for several prior years that only reported income from gifts or purported consulting payments, continuing to conceal the millions he had earned from his company. On the returns, he also concealed profits he had earned from a separate business to provide internet service to members of the armed forces at Kandahar Air Base in Afghanistan.
Instead of paying the taxes that he knew he owed, Edelman used the money to fund his lifestyle and additional investments. He invested in a music television franchise in Eastern Europe, a land venture in Tulum, Mexico, and a farm in Kenya, and purchased property around Europe, including a home in Ibiza, Spain, and a townhouse in London.
Edelman faces a maximum penalty of five years in prison for each of the 10 counts to which he has pleaded. He also faces a period of supervised release, restitution, and monetary penalties. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
This case is being investigated by special agents from IRS-CI’s International Tax & Financial Crimes specialty group, a team based out of Washington, D.C., that is dedicated to uncovering international tax crimes, along with the Special Inspector General for Afghanistan Reconstruction. The Justice Department’s Office of International Affairs assisted in the investigation. His Majesty’s Revenue & Customs of the United Kingdom also provided assistance, as did the Joint Chiefs of Global Tax Enforcement (J5), which brings together the taxing authorities of Australia, Canada, the Netherlands, the United Kingdom, and the United States. The Guardia Civil of Spain assisted with the arrest.
This case is being prosecuted by Assistant U.S. Attorney Joshua Gold for the District of Columbia and Assistant Chief Sarah Ranney and Trial Attorney Ezra Spiro of the Tax Division.
Helsinki, Finland, 21.5.2025 – Modirum and State Networks Finland (Erillisverkot) have announced a strategic partnership to deploy real-time group video services on Virve 2, Finland’s next-generation nationwide public safety network. This collaboration introduces a cutting-edge video platform designed to improve situational awareness, operational coordination, and decision-making for authorities and organizations operating in safety-critical environments.
Enhancing Situational Awareness and Operational Readiness with Secure, Mission-Critical Video Solutions
Modern public safety operations demand fast and secure access to live information from the field. Modirum’s NSC3 Group Video Service enables the secure transmission of live video, audio, and location data between field units and command centers — empowering faster response, better coordination, and ultimately, saving lives.
Already in operational use by several Finnish public safety organizations, the platform supports various video inputs, including body-worn cameras, vehicle-mounted systems, drones, and fixed surveillance units. Purpose-built for harsh operational environments, NSC3 ensures reliable, real-time collaboration for first responders and other mission-critical actors.
“For data security reasons, videos captured by public authorities cannot travel through commercial networks. Together with Modirum, we’ve built a centralized, secure Group Video Service tailored for safety-critical organizations. It provides a highly reliable and encrypted way to transfer live video from the field to command centers.” — Tuomas Ahlfors, Product Manager, State Networks (Erillisverkot)
“The Group Video Service has proven to be a critical operational tool, significantly enhancing situational awareness and resource coordination. It enables more agile deployments and better crisis response.” — Mauri Kataja, Account Manager, State Networks (Erillisverkot)
“We are proud to partner with State Networks, a recognized European leader in secure public safety infrastructure. Their commitment to innovation and national resilience aligns closely with Modirum’s mission to deliver AI-driven, mission-critical platforms that strengthen operational capabilities in demanding conditions.” — Tero Silvola, CEO, Modirum
About State Networks – Erillisverkot
State Networks Finland is a government-owned special-purpose entity under the Prime Minister’s Office, responsible for safeguarding mission-critical communication and infrastructure services in all circumstances. Through its Virve 2 broadband network, it delivers secure communications and situational awareness solutions for emergency services, public authorities, and other essential actors in Finnish society.
NSC3 is Modirum’s advanced platform for real-time situational awareness and secure communications. Supporting input from drones, body cams, dash cams, and IP cameras, NSC3 delivers seamless video sharing and features the industry’s fastest patented video engine, integrated Push-to-Talk and messaging, and is optimized for low-latency performance in all network conditions.
Modirum is a leading innovator in delivering secure, AI-driven solutions for Critical Communications, Telecom, Finance, Public & Government, Health Care and Energy sectors. With a focus on platform development, our mission is to empower public safety organizations and businesses by enabling them to launch, deliver, and scale services more efficiently while maintaining trust, reliability, and innovation.
With 27 years of experience and a team of 250+ experts, we’ve successfully executed 500+ projects across 30 countries. Our expert team partners with organizations to deliver cutting-edge solutions tailored to the unique needs of the industries we serve.
EconomyEntrepreneurs / Start-UpTech / DigitalInnovation – Ministers and senior tech stakeholders from the European Union, Germany and the UAE inaugurate the momentous first edition of GITEX EUROPE x Ai Everything.
Berlin, Germany – 21 May 2025: Berlin became the focal point of Europe’s tech momentum and global digital cooperation as GITEX EUROPE x Ai Everything 2025 opened its doors today at Messe Berlin, launching the region’s largest inaugural tech, startup and digital investment event to capacity crowds and the biggest, most international lineup of tech and businesses converging in Europe. The show arrives at an inflection point in Europe’s digital future, sparked by a continent-wide ‘Choose Europe’ movement to anchor the next wave of innovation, research, investment, talent and deep-tech breakthroughs on home ground; alongside a renewed impetus in Germany represented by the formation of a new government and the country’s first digital ministry taking stewardship on digital transformation, AI excellence and data policy.
Born in the UAE with global editions now running in seven countries, GITEX is the world’s largest and best-rated tech and startup event, reflecting the UAE’s wider national commitment to global digital collaboration. With the show’s expansion into Europe, it echoes the UAE’s shared commitment to advance innovation and scientific frontiers, recently strengthened with Abu Dhabi’s MGX investment and Nvidia partnering to develop Europe’s largest AI data center campus (1) alongside the development of a new 5GW AI campus (2), the largest of its kind outside the US to be based in Abu Dhabi.
Welcome addresses led the inauguration ceremony from European and global leaders, including Kai Wegner, Governing Mayor of Berlin; H.E. Alia Al Mazrouei, UAE Minister of State for Entrepreneurship; Clara Chappaz, the Minister of AI and Digital of France; Thomas Jarzombek, Parliamentary State Secretary at the Federal Minister for Digital and State Modernization, Germany; Jan Kavalírek, Deputy Minister of Industry and Trade, Czech Republic; Franziska Giffey, Mayor of Berlin & Senator for Economic Affairs, Energy and Public Enterprises; and Trixie LohMirmand, EVP of Dubai World Trade Centre, the global organiser of GITEX.
With participation from over 100 countries, 1,400 tech companies, startups, and SMEs, more than 600 influential investors, and 500 industry leaders on-stage, the event sparked strategic dialogues on innovation, investment, policy shifts and business transformations, as well as catalysed collaborations at scale – across sectors and geographies. Taking place until 23 May at Messe Berlin, GITEX EUROPE x Ai Everything 2025 is organised in partnership with the Berlin Senate Department for Economics, Energy and Public Enterprises, Germany’s Federal Ministry for Economic Affairs and Climate Action, Berlin Partner for Business and Technology, and the European Innovation Council (EIC).
Kai Wegner, Governing Mayor of Berlin: “The GITEX tech fair – which is taking place in Berlin for the very first time – brings founders from around the world, investors, and established companies together. As Germany’s startup capital, Berlin is the perfect place for GITEX. We want to create the best environment for founders in our city. Networking events and industry fairs like GITEX are part of that effort.”
Her Excellency (H.E.) Alia Al Mazrouei, the UAE Minister of State for Entrepreneurship: “Moving beyond economic diplomacy, the UAE is now championing entrepreneurial diplomacy, guided by our diligent efforts in fostering global partnerships to empower entrepreneurs in the country. GITEX EUROPE’s vision of bringing together SMEs, investors, accelerators, incubators and industry leaders to ignite innovation, foster collaboration, and drive growth aligns with the UAE’s aspirations to strengthen partnerships with Europe in entrepreneurship and digital economy.”
Clara Chappaz, the Minister of AI and Digital of France, commented on the development of AI: “When you were hear about Europe being a continent of regulation, this is the past. Today, Europe is all about innovation. More than ever, we have all the ingredients to succeed as Europeans building these amazing technologies when it comes to AI. The partnerships between France and Germany is extremely determined to accelerate Europe when it comes to innovation, and in particular when it comes to everything we can do on digital innovation.”
Thomas Jarzombek, Parliamentary State Secretary at the Federal Minister for Digital and State Modernization reiterated: “It’s a great opportunity here to connect startups and also for investment opportunities right now here in Berlin. We have to move forward, faster than we did in the past. Easy for you to do business in Germany, easy for every citizen to do everything with an app and to digitalize things you have in our pocket right now.”
Jan Kavalírek, Deputy Minister of Industry and Trade, Czech Republic: “One of our top priorities right now, is to create the best possible environment for AI researchers and to deploy artificial intelligence across all the industrial sector. This is the reason why we invest in AI heavily, both in software and in hardware infrastructure, and this is also the reason why we are glad to part of GITEX EUROPE.”
Franziska Giffey, Mayor of Berlin and Senator for Economic Affairs, Energy and Public Enterprises: “We have more than 5,000 startup enterprises here in Berlin, and of course we want to do more. We want to be the number one innovation place in Europe. Whenever you think about coming to the place of freedom, the place of possibilities, come to Berlin.”
Trixie LohMirmand, global organiser of GITEX: “As the world’s third largest economy, Germany’s market gravity and Europe’s openness create a powerful test-bed where capital, code and talent can cross-pollinate at speed, forging new collaborative forces across geographies and sectors. GITEX EUROPE proves that innovations can scale beyond borders, opening new markets and opportunities for Europe’s most ambitious companies.”
Spanning high impact showcases and talks covering AI, cybersecurity, deep tech, green tech, quantum computing, SMEs, and startup, scaleup and investments, GITEX EUROPE x Ai Everything offers unmatched opportunities to access new markets, breakthrough technologies, industry transformations and business insights.
Across the show floor, global tech enterprises including IBM, AWS, Bosch, Cisco, CrowdStrike, Dell, Fortinet, Lenovo, ManageEngine, NinjaOne, NVIDIA, and SAP, alongside over 750 startups from 60 countries, showcase how infrastructure, intelligence, and investment intersect to propel Europe’s digital future forward. From business leaders to AI architects, quantum researchers to CIOs, green tech innovators to global investors, the opening day’s gathering set the tone for decisive partnerships accelerating the continent’s AI and digital competitiveness.
The opening day conference programme was headlined by Dr. Geoffrey Hinton, Nobel Physics Laureate and ‘Godfather of AI’ with a riveting keynote on ‘AI for Humanity’s Greatest Challenges’. In April 2025, the United Arab Emirates and European Union delivered a joint statement to begin dialogue toward a Comprehensive Economic Partnership Agreement (CEPA) (3) aimed at strengthening bilateral trade and investment ties across key sectors such as AI, advanced manufacturing, healthcare and more.
GITEX EUROPE x Ai Everything leverages a powerful network of established relationships in tech, policy, investment and business spanning four regions and seven countries, with more new international editions in the wings. Currently the GITEX global network of events takes place in Abu Dhabi, Dubai, Germany, Morocco, Nigeria, Singapore, Thailand, and Vietnam.
GITEX EUROPE x Ai Everything 2025, Europe’s most global, collaborative, and cross-industry tech event, taking place from May 21–23, 2025, at Messe Berlin, Germany. Convening over 1,400 exhibiting enterprises, SMEs and startups from 100-plus countries, alongside over 600 investors, and 500 expert speakers across AI, Deep Tech, Quantum, Cybersecurity, Connectivity, Smart Cities, Green Tech, and many more, GITEX EUROPE x Ai Everything is advancing the continent’s digital future in partnership with the world. This inaugural edition features the new SMEDEX, GITEX SCALEX, and GQX, and brings to Germany the world’s largest and best-rated startup and investor event – North Star Europe. GITEX EUROPE x Ai Everything is seamlessly connected with the GITEX network of tech and startup events in Germany, Morocco, Nigeria, Singapore, Thailand, UAE, and Vietnam. For more information, please visit: www.gitex-europe.com
Source: United States Senator for Illinois Dick Durbin
May 21, 2025
The resolution recognizes the soldiers’ service and sacrifice to our nation and NATO allies
WASHINGTON – U.S. Senate Democratic Whip Dick Durbin (D-IL), Co-Chair of the Senate Baltic Freedom Caucus, today commended the unanimous Senate passage of his bipartisan resolution honoring the four American soldiers—including one Illinoisan—who were stationed in Lithuania and tragically died in March while on a mission to recover a vehicle immobilized during a training exercise. The soldiers include Staff Sergeant Jose Dueñez Jr. from Joliet, Illinois; Staff Sergeant Edvin F. Franco; Staff Sergeant Troy S. Knutson-Collins; and Private First-Class Dante D. Taitano—all part of the 1st Armored Brigade, 3rd Infantry Division.
“Last night, the Senate honored the brave American service members, including Staff Sergeant Jose Dueñez Jr. from Joliet, Illinois, who tragically died during a mission in Lithuania earlier this year. It was a mission fraught with extreme danger and challenges, and this resolution reminds us of the daily service and sacrifice of our military members,” Durbin said. “The resolution also expresses our gratitude to our Lithuanian ally—who dropped everything and faced great odds to help us recover their bodies and bring these fallen soldiers home—a reminder of the common defense underlying our alliance.”
On April 3, thousands of Lithuanians took to the streets in Vilnius—including the Lithuanian President—to pay their respects to our fallen American soldiers. The resolution also reaffirms the importance of the NATO alliance and the need to support our Baltic allies.
Durbin spoke about the four American soldiers and his resolution on the Senate floor last month.
Text of the resolution can be found here.
Joining Durbin in sponsoring the resolution are U.S. Senators Chuck Grassley (R-IA), Chuck Schumer (D-NY), Mitch McConnell (R-KY), Jeanne Shaheen (D-NH), Tammy Duckworth (D-IL), Chris Coons (D-DE), Adam Schiff (D-CA), Gary Peters (D-MI), Elissa Slotkin (D-MI), and Alex Padilla (D-CA).
-30-
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
BEIJING, May 21 (Xinhua) — Experts from China and Germany called for cooperation to overcome global challenges in an unstable world at a seminar on China-Russia-Europe relations held in Beijing on Tuesday.
The current seminar, organized by the Institute of Russian, East European and Central Asian Studies of the Chinese Academy of Social Sciences (IRESCA AASS), took place in the year of the 50th anniversary of the establishment of diplomatic relations between China and the European Union.
In his opening remarks, Sun Zhuangzhi, Director of the IRECA AONK, noted that in the context of profound global changes unseen for a century, humanity once again found itself at a historical crossroads. Against this background, he stressed, academic discussions on relations between China, Russia and Europe have important practical significance.
Noting that China and Europe have many common interests, Sun said it is crucial to find the “biggest common denominator” for cooperation between the two sides, which is of particular significance both for maintaining security and stability on the Eurasian continent and for promoting prosperity and development worldwide.
Nadine Godehardt, Senior Research Fellow at the Asia Department of the Brussels branch of the German Institute for International and Security Affairs, noted that the world is experiencing new profound changes, and the geopolitical landscape in the Eurasian region is becoming increasingly complex.
As a result, N. Godehard continued, the European Union and the European integration process are creating a new momentum for reform, initiating a whole series of policy adjustments. She added that discussions between Chinese and European think tanks on the relations between China, Russia and Europe and on the situation in the Eurasian region are timely and important.
The seminar participants agreed that in the context of an unstable international situation, countries of the world should adhere to the principles of mutual success and common progress, work together to solve key global and regional problems, and jointly write a new chapter in international governance and multilateral cooperation.
The seminar was attended by experts and scholars from the German Institute for International and Security Affairs, the Bertelsmann Foundation, the Ruhr University Bochum, the AONK and the China Institute of Contemporary International Relations. –0–
TORONTO, May 21, 2025 (GLOBE NEWSWIRE) — BULGOLD Inc. (TSXV: ZLTO) (the “Company” or “BULGOLD”) is pleased to announce the voting results from its Annual General and Special Meeting of the holders (“Shareholders”) of common shares of the Company that was held at 10:00 AM on May 21, 2025 (the “Meeting”).
All the matters put forward before Shareholders for consideration and approval as set out in the Company’s management information circular dated April 1, 2025 (the “Circular”) were approved by the requisite majority of votes cast at the Meeting. In particular, Shareholders approved the election of all director nominees listed in the Circular. The board of directors of the Company is now comprised as follows:
James A. Crombie
Sean Hasson
Colin Jones
Laurie Marsland
Dr. Mihaela Barnes
Vanessa Cook
Shareholders also appointed McGovern Hurley LLP as auditors of the Company until the close of the next annual meeting of Shareholders at a remuneration to be fixed by the board of directors of the Company.
Further, the disinterested Shareholders passed an ordinary resolution ratifying and confirming the Company’s 10% “rolling” equity incentive plan including the setting-aside, allotting and reserving 10% of the Company’s outstanding common shares from time to time for issuance pursuant to the exercise of awards granted thereunder (the full text of which is set out in the Circular).
A total of 10,957,856 common shares representing approximately 39.7% of the Company’s issued and outstanding common shares were voted in connection with the Meeting, and each of the foregoing matters were approved by over 99.4% of the votes cast thereon.
About BULGOLD Inc. BULGOLD is a gold exploration company focused on the exploration and development of mineral exploration projects in Central and Eastern Europe. The Company controls 100% of three quality quartz-adularia epithermal gold projects located in the Bulgarian and Slovak portions of the Western Tethyan Belt: the Lutila Gold Project, the Kostilkovo Gold Project and the Kutel Gold Project. Management of the Company believes that its assets show potential for high-grade, good-metallurgy, low-sulfidation epithermal gold mineralisation.
On December 31, 2024, BULGOLD’s issued and outstanding shares were 27,597,928 of which approximately 40.3% were held by Founders, Directors and Management. Additional information about the Company is available on BULGOLD’s website (www.BULGOLD.com) and on SEDAR+ (www.sedarplus.ca).
Neither TSX Venture Exchange nor its Regulation Services Provider (as that term is defined in the policies of the TSX Venture Exchange) accepts responsibility for the adequacy or accuracy of this release.
Cautionary Statement Regarding Forward-Looking Information
This press release contains forward‐looking statements and forward‐looking information within the meaning of applicable securities laws. These statements relate to future events or future performance and include statements relating to voting results of the Meeting. All statements other than statements of historical fact may be forward‐looking statements or information. The forward‐looking statements and information are based on certain key expectations and assumptions made by management of the Company. Although management of the Company believes that the expectations and assumptions on which such forward-looking statements and information are based are reasonable, undue reliance should not be placed on the forward‐looking statements and information since no assurance can be given that they will prove to be correct.
Forward-looking statements and information are provided for the purpose of providing information about the current expectations and plans of management of the Company relating to the future. Readers are cautioned that reliance on such statements and information may not be appropriate for other purposes, such as making investment decisions. Since forward‐looking statements and information address future events and conditions, by their very nature they involve inherent risks and uncertainties. Actual results could differ materially from those currently anticipated due to a number of factors and risks, including the inherent uncertainty of mineral exploration; risks related to title to mineral properties; and credit, market, currency, operational, commodity, geopolitical, liquidity and funding risks generally, including changes in economic conditions, interest rates or tax rates and general market and economic conditions. Accordingly, readers should not place undue reliance on the forward‐looking statements and information contained in this press release. Readers are cautioned that the foregoing list of factors is not exhaustive. The forward‐looking statements and information contained in this press release are made as of the date hereof and no undertaking is given to update publicly or revise any forward‐looking statements or information, whether as a result of new information, future events or otherwise, unless so required by applicable securities laws. The forward-looking statements and information contained in this press release are expressly qualified by this cautionary statement.
Source: United Kingdom – Executive Government & Departments
Press release
PM meeting with President Nikos Christodoulides of Cyprus: 21 May 2025
The Prime Minister hosted President Nikos Christodoulides of Cyprus for a short meeting in Downing Street during his visit to London.
The Prime Minister hosted President Nikos Christodoulides of Cyprus for a short meeting in Downing Street during his visit to London.
The leaders began by reflecting on the Prime Minister’s historic visit to Cyprus in December and welcomed the strengthening of the relationship between the two countries.
The Prime Minister updated on the UK-EU Summit earlier in the week, and thanked President Christodoulides for his support in resetting the relationship between the UK and Europe.
The leaders looked forward to speaking again soon.
During the action day, authorities in both countries seized assets worth at least several millions euros, including apartments and companies, as well as various luxury vehicles. . Large amounts of cash and quantities of cocaine and heroin were also seized. A full and complete evaluation of the seizures will be carried out in the coming days.
No complete estimate of the total profits of the cooperation between the three OCGs is available. However, information obtained through the JIT shows that the criminal networks were involved in payments, often in cash, of close to EUR 5 million and the trafficking of at least 1 800 kilos of cocaine and heroin.
Investigations into the linked criminal organisations were initiated in 2016 by the Public Prosecutor’s Office of Bari and the Special Anti-Corruption and Organised Crime Prosecutor’s Office of Tirana and the Albanian Police. On the Albanian side, one OCG, which operated from Durres, was responsible for the transport and wholesale distribution of large quantities of cocaine, heroin and cannabis trafficked between the Balkans, Northern Europe, South America and Puglia in Italy.
Two Italian-led criminal gangs carried out the cutting and packaging of illicit drugs and supplied cocaine and heroin from Latin America and Turkey to local gangs in organisations in Bari, Brindisi and Lecce.
The arrests in Italy and Albania are the result of a long-term collaboration through the JIT. This involved the use of wiretaps, intensive video surveillance, the monitoring of suspects and the analysis of encrypted chats. These chats were decrypted following intensive cooperation through Eurojust.
Since 2020, Eurojust has supported the authorities in Italy and Albania with the JIT. Furthermore, the Agency provided assistance with the execution of requests for Mutual Legal Assistance during the action day and gave cross-border judicial support. Albania is one of the twelve countries outside the European Union with a Liaison Prosecutor at Eurojust. The investigations were also coordinated and supported by the office of the dedicated security expert at the Italian Embassy in Tirana.
The judicial cooperation between Italy and Albania has already proven effective in recent years. Between 2018 and 2021, the Anti-Mafia Investigation Directorate of Bari issued and executed 118 arrest warrants against alleged drug traffickers operating in both countries. As a result, various defendants were sentenced up to 20 years imprisonment.
This week’s operation was carried out at the request of and by the following authorities:
Italy: Public Prosecutor’s Office Bari – District Anti-Mafia Directorate; Anti-Mafia Investigation Directorate Bari, under the coordination of the National Anti-Mafia and Anti-Terrorism Directorate Rome, with support of the Office of the Security Expert at the Italian Embassy in Tirana
Albania: Special Anti-Corruption and Organised Crime Prosecutor’s Office (SPAK) of Tirana; Albanian Police
News In Brief – Source: US Computer Emergency Readiness Team
Executive Summary
This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst
Download the PDF version of this report:
Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)
For a downloadable list of IOCs, visit:
Introduction
For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments. Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.
Description of Targets
The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:
Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services
In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].
The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].
The countries with targeted entities include the following, as illustrated in Figure 1:
Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States
Figure 1: Countries with Targeted Entities
Initial Access TTPs
To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):
The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]
Credential Guessing/Brute Force
Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].
Spearphishing
GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.
Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:
Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org
The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].
CVE Usage
Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].
Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.
Post-Compromise TTPs
After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].
The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:
C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit
Figure 2: Example Active Directory Domain Services command
Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].
Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]
After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].
After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:
sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.
In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.
Malware
Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:
HEADLACE [7]
MASEPIE [8]
While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.
Persistence
In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.
Exfiltration
GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.
The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.
Connections to Targeting of IP Cameras
In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.
The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.
Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.
From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:
Table 1: Geographic distribution of targeted IP cameras
Country
Percentage of Total Attempts
Ukraine
81.0%
Romania
9.9%
Poland
4.0%
Hungary
2.8%
Slovakia
1.7%
Others
0.6%
Mitigation Actions
General Security Mitigations
Architecture and Configuration
Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.
Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Identity and Access Management
Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:
Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]
IP Camera Mitigations
The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:
Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.
Indicators of Compromise (IOCs)
Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.
Utilities and scripts
Legitimate utilities
Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:
ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry
Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Malicious scripts
Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”
Suspicious command lines
While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:
edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
June 2024
July 2024
August 2024
192[.]162[.]174[.]94
207[.]244[.]71[.]84
31[.]135[.]199[.]145
79[.]184[.]25[.]198
91[.]149[.]253[.]204
103[.]97[.]203[.]29
162[.]210[.]194[.]2
31[.]42[.]4[.]138
79[.]185[.]5[.]142
91[.]149[.]254[.]75
209[.]14[.]71[.]127
46[.]112[.]70[.]252
83[.]10[.]46[.]174
91[.]149[.]255[.]122
109[.]95[.]151[.]207
46[.]248[.]185[.]236
83[.]168[.]66[.]145
91[.]149[.]255[.]19
64[.]176[.]67[.]117
83[.]168[.]78[.]27
91[.]149[.]255[.]195
64[.]176[.]69[.]196
83[.]168[.]78[.]31
91[.]221[.]88[.]76
64[.]176[.]70[.]18
83[.]168[.]78[.]55
93[.]105[.]185[.]139
64[.]176[.]70[.]238
83[.]23[.]130[.]49
95[.]215[.]76[.]209
64[.]176[.]71[.]201
83[.]29[.]138[.]115
138[.]199[.]59[.]43
70[.]34[.]242[.]220
89[.]64[.]70[.]69
147[.]135[.]209[.]245
70[.]34[.]243[.]226
90[.]156[.]4[.]204
178[.]235[.]191[.]182
70[.]34[.]244[.]100
91[.]149[.]202[.]215
178[.]37[.]97[.]243
70[.]34[.]245[.]215
91[.]149[.]203[.]73
185[.]234[.]235[.]69
70[.]34[.]252[.]168
91[.]149[.]219[.]158
192[.]162[.]174[.]67
70[.]34[.]252[.]186
91[.]149[.]219[.]23
194[.]187[.]180[.]20
70[.]34[.]252[.]222
91[.]149[.]223[.]130
212[.]127[.]78[.]170
70[.]34[.]253[.]13
91[.]149[.]253[.]118
213[.]134[.]184[.]167
70[.]34[.]253[.]247
91[.]149[.]253[.]198
70[.]34[.]254[.]245
91[.]149[.]253[.]20
Detections
Customized NTLM listener
rule APT28_NTLM_LISTENER {
meta:
description = "Detects NTLM listeners including APT28's custom one"
( any of ($sysinternals_*) and any of ($psexec_*) )
or
( 2 of ($network_*) and 2 of ($psexec_*))
)
}
The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:
APT28 [14]
Fancy Bear [14]
Forest Blizzard [14]
Blue Delta [15]
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.
Further Reference
To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.
For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule: https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar
Works Cited
[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/ [2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF [3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF [4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/ [5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/ [6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/ [7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/ [8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894 [9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF [10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF [11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html [12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF [13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF
[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian [15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf
Disclaimer of endorsement
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
United States organizations
National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)
United Kingdom organizations
Germany organizations
Czech Republic organizations
Poland organizations
Australian organizations
Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
Estonia organizations
French organizations
French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.
See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.
Table 2: Reconnaissance
Tactic/Technique Title
ID
Use
Reconnaissance
TA0043
Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management.
Conducted contact information reconnaissance to identify additional targets in key positions.
Gather Victim Org Information
T1591
Conducted reconnaissance of the cybersecurity department.
Gather Victim Org Information: Identify Roles
T1591.004
Conducted reconnaissance of individuals responsible for coordinating transport.
Gather Victim Org Information: Business Relationships
T1591.002
Conducted reconnaissance of other companies cooperating with the victim entity.
Gather Victim Host Information
T1592
Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras.
Table 3: Resource development
Tactic/Technique Title
ID
Use
Compromise Accounts: Email Accounts
T1586.002
Sent phishing emails using compromised accounts.
Compromise Accounts: Cloud Accounts
T1586.003
Sent phishing emails using compromised accounts.
Table 4: Initial Access
Tactic/Technique Title
ID
Use
Trusted Relationship
T1199
Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Phishing
T1566
Used spearphishing for credentials and delivering malware to gain initial access to targeted entities.
Phishing: Spearphishing Attachment
T1566.001
Sent emails with malicious attachments.
Phishing: Spearphishing Link
T1566.002
Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive.
Phishing: Spearphishing Voice
T1566.004
Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.
External Remote Services
T1133
Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities.
Exploit Public-Facing Application
T1190
Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities.
Content Injection
T1659
Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive.
Table 5: Execution
Tactic/Technique Title
ID
Use
User Execution: Malicious Link
T1204.001
Used malicious links to hosted shortcuts in spearphishing.
User Execution: Malicious File
T1204.002
Delivered malware executables via spearphishing.
Scheduled Task/Job: Scheduled Task
T1053.005
Used scheduled tasks to establish persistence.
Command and Scripting Interpreter
T1059
Delivered scripts in spearphishing. Executed arbitrary shell commands.
Command and Scripting Interpreter: PowerShell
T1059.001
PowerShell commands were often used to prepare data for exfiltration.
Command and Scripting Interpreter: Windows Command Shell
T1059.003
Used BAT script in spearphishing.
Command and Scripting Interpreter: Visual Basic
T1059.005
Used VBScript in spearphishing.
Command and Scripting Interpreter: Python
T1059.006
Installed python on infected machines to enable the execution of Certipy.
Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access.
Hijack Execution Flow: DLL Search Order Hijacking
T1574.001
Used DLL search order hijacking to facilitate malware execution.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.001
Used run keys to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification
T1547.009
Placed malicious shortcuts in the startup folder to establish persistence.
Table 7: Defense Evasion
Tactic/Technique Title
ID
Use
Indicator Removal: Clear Windows Event Logs
T1070.001
Deleted event logs through the wevtutil utility.
Table 8: Credential access
Tactic/Technique Title
ID
Use
Brute Force
Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Brute Force: Password Guessing
T1110.001
Used credential guessing to gain initial access to targeted entities.
Brute Force: Password Spraying
T1110.003
Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP.
Multi-Factor Authentication Interception
Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns.
Input Capture
Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns.
Forced Authentication
Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations.
OS Credential Dumping: NTDS
T1003.003
Attempted to dump Active Directory NTDS.dit domain databases.
Unsecured Credentials: Group Policy Preferences
T1552.006
Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py.
Table 9: Discovery
Tactic/Technique Title
ID
Use
Account Discovery: Domain Account
T1087.002
Used a modified ldap-dump.py to enumerate the Windows environment.
Table 10: Command and Control
Tactic/Technique Title
ID
Use
Hide Infrastructure
T1665
Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
Proxy: External Proxy
T1090.002
Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers.
Proxy: Multi-hop Proxy
T1090.003
Used Tor and commercial VPNs as part of their anonymization infrastructure
Encrypted Channel
T1573
Connected to victim infrastructure using encrypted TLS.
Multi-Stage Channels
T1104
Used multi-stage redirectors for campaigns.
Table 11: Defense evasion (mobile framework)
Tactic/Technique Title
ID
Use
Execution Guardrails
Used multi-stage redirectors to verify browser fingerprints in some campaigns.
Execution Guardrails: Geofencing
T1627.001
Used multi-stage redirectors to verify IP-geolocation in some campaigns.
Table 12: Lateral movement
Tactic/Technique Title
ID
Use
Lateral Movement
Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment.
Remote Services: Remote Desktop Protocol
T1021.001
Moved laterally within the network using RDP.
Table 13: Collection
Tactic/Technique Title
ID
Use
Email Collection
Retrieved sensitive data from email servers.
Email Collection: Remote Email Collection
T1114.002
Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers.
Automated Collection
Used periodic EWS queries to collect new emails.
Video Capture
Attempted to gain access to the cameras’ feeds.
Archive Collected Data
Accessed files were archived in .zip files prior to exfiltration.
Archive Collected Data: Archive via Utility
T1560.001
Prepared zip archives for upload to the actors’ infrastructure.
Table 14: Exfiltration
Tactic/Technique Title
ID
Use
Exfiltration Over Alternative Protocol
Attempted to exfiltrate archived data via a previously dropped OpenSSH binary.
Scheduled Transfer
Used periodic EWS queries to collect new emails sent and received since the last data exfiltration.
Appendix B: CVEs exploited
Table 15: Exploited CVE information
CVE
Vendor/Product
Details
CVE-2023-38831
RARLAB WinRAR
Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
CVE-2023-23397
Microsoft Outlook
External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
CVE-2021-44026
Roundcube Webmail
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params.
CVE-2020-35730
Roundcube Webmail
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-12641
Roundcube Webmail
Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.
Appendix C: MITRE D3FEND Countermeasures
Table 16: MITRE D3FEND countermeasures
Countermeasure Title
ID
Details
Network Isolation
Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation
Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering
Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis
Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering
Block NTLM/SMB requests to external infrastructure.
Platform Monitoring
Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation
Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation
Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis
Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis
Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation
Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
DNS Denylisting
D3-DNSDL
Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis
Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication
Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Job Function Access Pattern Analysis
D3-JFAPA
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions
Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication
Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding
Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy
Use a service to check for compromised passwords before using them.
Credential Rotation
Change all default credentials.
Encrypted Tunnels
Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update
Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication
Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis
Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.
On 4 June, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) is organising a Public Hearing on “Organised Crime and its impact on Internal Security”. The hearing will aim to discuss the escalating complexity and transnational nature of criminal activities which are undermining the European Union’s security and the fundamental rights of its citizens.
This dedicated hearing will provide a crucial platform to assess emerging threats, enhance cross-border cooperation, and strengthen legislative frameworks. By bringing together policymakers, law enforcement agencies, prosecutors, academia and experts, the LIBE Committee can consider and assess coordinated strategies to safeguard the rule of law, protect citizens, and reaffirm the EU’s commitment to justice and internal security.
The hearing will be divided into two panels and will include Commissioner for Internal Affairs and Migration, Magnus Brunner, Europol Executive Director, Ms Catherine De Bolle and State Secretary to Minister for Justice of Sweden, Ms Charlotte Kugelberg. The Italian national anti-mafia prosecutor and a Professor of criminology, with expertise in the area of organised crime, are also invited to attend the Hearing.
Question for written answer E-001930/2025 to the Commission Rule 144 Krzysztof Brejza (PPE)
The recent electricity blackout in Spain and Portugal underscores the importance of reducing vulnerabilities and strengthening the resilience of critical energy infrastructure to ensure the uninterrupted provision of essential services. Energy systems are the backbone of the EU’s economy and society, and disruptions – especially in interconnected grids – can have significant cross-border impacts.
One of the priorities of the European internal security strategy (ProtectEU) is the protection of critical infrastructure, including energy interconnectors. The blackout raises important questions about current levels of preparedness and whether additional efforts are needed at EU level.
In the light of this:
1.How does the Commission assess the impact of the Iberian blackout on the implementation of ProtectEU’s critical infrastructure goals?
2.What measures are being considered to enhance the protection of energy infrastructure across the EU?
3.How will the Commission assess the implications of the Iberian blackout for the implementation of the Critical Entities Resilience Directive (Directive (EU) 2022/2557[1])?
Submitted: 14.5.2025
[1] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC, OJ L 333, 27.12.2022, p. 164, ELI: http://data.europa.eu/eli/dir/2022/2557/oj.
Question for written answer E-001880/2025 to the Commission Rule 144 Per Clausen (The Left)
In its answer dated 15 March 2024 to a question (P-000460/2024(ASW))[1] the Commission stated the following: ‘In July 2021, the Commission launched infringement proceedings against 24 Member States for the non-conformity of their national measures with the Enforcement Directive on Posting of Workers.’. In response to the specific question that had been put, the Commission went on to state that it ‘will decide on the next steps in the coming months’.
It is now more than a year since that answer was given. Therefore:
1.Can the Commission now say what the state of play is with regard to letter of formal notice 2021/2057 of 26 January 2023 concerning Denmark’s transposition of Directive 2014/67/EU?
2.What assessment has the Commission made of ‘all replies and of all amending legislations notified to the Commission by Member States which have agreed in their replies to the letters of formal notice or reasoned opinions with all or some of the grievances raised by the Commission in these infringement proceedings’?
3.Can the Commission provide a full update on what the position now is as regards the 17 reasoned opinions referred to in the reply of 15 March 2024, including on which cases further action is being taken?
Question for written answer E-001902/2025 to the Commission Rule 144 Dolors Montserrat (PPE)
The reply to questions E-000571/2025, E-000570/2025, E-000572/2025 and E-000573/2025[1] on the use of the Recovery and Resilience Facility (RRF) by RTVE only makes reference to a digital training project and defers its assessment to a later date. Taking account of the results of the European Court of Auditors’ report on the RRF, which identifies structural weaknesses that need to be addressed if a performance-based funding model is to be consolidated:
1.How does the Commission intend to ensure that Recovery and Resilience Facility funds actually reach the final recipients, especially in countries such as Spain, where a lack of traceability, delays in implementation and poor assessment of the impact of the reforms financed have been identified?
2.How does it intend to prevent the opaque use of funds within RTVE, bearing in mind that this could open the door to bad practices, corruption or favouritism, thereby eroding public trust in the institutions?
VIENNA, Austria – May 21, 2025 – Today, Moody’s announced that it affirms the ratings of BAWAG P.S.K. and changed the outlook on the long-term deposit, senior unsecured, and long-term issuer ratings from stable to positive.
The positive outlook is a reflection of our to-be integrated recent acquisitions which show a steady business performance and could result in a sustainably improved financial profile.
David O’Leary, Chief Risk Officer of BAWAG Group, commented: “The change to a positive outlook is a testament to our strategy focused on sustainable growth, efficiency and maintaining a safe and secure balance sheet. While our strategy has been unchanged since 2012, with the recent acquisitions, our business profile with focus on DACH/NL region as well as Retail & SME had been enhanced. The improved outlook highlights the resilience and stability of our business, with increased profitability after our acquisitions.”
About BAWAG Group BAWAG Group AG is a publicly listed holding company headquartered in Vienna, Austria, serving our over 4 million retail, small business, corporate, real estate and public sector customers across Austria, Germany, Switzerland, Netherlands, Ireland, the United Kingdom, and the United States. The Group operates under various brands and across multiple channels offering comprehensive savings, payment, lending, leasing, investment, building society, factoring and insurance products and services. Our goal is to deliver simple, transparent, and affordable financial products and services that our customers need.
BAWAG Group’s Investor Relations website https://www.bawaggroup.com/ir contains further information, including financial and other information for investors.
Forward-looking statement This release contains “forward-looking statements” regarding the financial condition, results of operations, business plans and future performance of BAWAG Group. Words such as “anticipates,” “believes,” “estimates,” “expects,” “forecasts,” “intends,” “plans,” “projects,” “may,” “will,” “should,” “would,” “could” and other similar expressions are intended to identify these forward-looking statements. These forward-looking statements reflect management’s expectations as of the date hereof and are subject to risks and uncertainties that may cause actual results to differ materially from those projected. These risks and uncertainties include, but are not limited to, economic conditions, the regulatory environment, loan concentrations, vendors, employees, technology, competition, and interest rates. Readers are cautioned not to place undue reliance on the forward-looking statements as actual results may differ materially from the results predicted. Neither BAWAG Group nor any of its affiliates, advisors or representatives shall have any liability whatsoever (in negligence or otherwise) for any loss howsoever arising from any use of this report or its content or otherwise arising in connection with this document. This report does not constitute an offer or invitation to purchase or subscribe for any securities and neither it nor any part of it shall form the basis of or be relied upon in connection with any contract or commitment whatsoever. This statement is included for the express purpose of invoking “safe harbor provisions”.