MIL-OSI China: Flick extends Barcelona contract until 2027

Source: People’s Republic of China – State Council News

FC Barcelona announced on Wednesday that coach Hansi Flick has agreed to extend his contract with the club until the end of June 2027.

“The German coach will sign on Wednesday the extension of his contract until 2027 – for one more season – The act will be held in the offices at the Camp Nou,” confirmed a statement from the club.

Hansi Flick gestures on the touchline during the Group E match between Germany and Japan at the 2022 FIFA World Cup at Khalifa International Stadium in Doha, Qatar, Nov. 23, 2022. (Xinhua/Cao Can)

The extension on Flick’s original deal, which was due to expire in 2026, comes after the former Bayern Munich and German national team boss has led Barca to this season’s La Liga title, the Copa del Rey and the Spanish Supercup in his first season in charge.

Flick’s only disappointment was a narrow defeat after extra time to Inter Milan in the semifinals of the Champions League.

MIL OSI China News –

May 22, 2025

MIL-OSI Submissions: Tech – Europe’s Largest Inaugural Tech and Startup Event Opens in Berlin as the Continent Spurs Momentum for Open Innovation and AI Leadership

Source: GITEX EUROPE x Ai Everything 2025

EconomyEntrepreneurs / Start-UpTech / DigitalInnovation – Ministers and senior tech stakeholders from the European Union, Germany and the UAE inaugurate the momentous first edition of GITEX EUROPE x Ai Everything.

Berlin, Germany – 21 May 2025: Berlin became the focal point of Europe’s tech momentum and global digital cooperation as GITEX EUROPE x Ai Everything 2025 opened its doors today at Messe Berlin, launching the region’s largest inaugural tech, startup and digital investment event to capacity crowds and the biggest, most international lineup of tech and businesses converging in Europe. The show arrives at an inflection point in Europe’s digital future, sparked by a continent-wide ‘Choose Europe’ movement to anchor the next wave of innovation, research, investment, talent and deep-tech breakthroughs on home ground; alongside a renewed impetus in Germany represented by the formation of a new government and the country’s first digital ministry taking stewardship on digital transformation, AI excellence and data policy.

Born in the UAE with global editions now running in seven countries, GITEX is the world’s largest and best-rated tech and startup event, reflecting the UAE’s wider national commitment to global digital collaboration. With the show’s expansion into Europe, it echoes the UAE’s shared commitment to advance innovation and scientific frontiers, recently strengthened with Abu Dhabi’s MGX investment and Nvidia partnering to develop Europe’s largest AI data center campus (1) alongside the development of a new 5GW AI campus (2), the largest of its kind outside the US to be based in Abu Dhabi.

Welcome addresses led the inauguration ceremony from European and global leaders, including Kai Wegner, Governing Mayor of Berlin; H.E. Alia Al Mazrouei, UAE Minister of State for Entrepreneurship; Clara Chappaz, the Minister of AI and Digital of France; Thomas Jarzombek, Parliamentary State Secretary at the Federal Minister for Digital and State Modernization, Germany; Jan Kavalírek, Deputy Minister of Industry and Trade, Czech Republic; Franziska Giffey, Mayor of Berlin & Senator for Economic Affairs, Energy and Public Enterprises; and Trixie LohMirmand, EVP of Dubai World Trade Centre, the global organiser of GITEX.

With participation from over 100 countries, 1,400 tech companies, startups, and SMEs, more than 600 influential investors, and 500 industry leaders on-stage, the event sparked strategic dialogues on innovation, investment, policy shifts and business transformations, as well as catalysed collaborations at scale – across sectors and geographies. Taking place until 23 May at Messe Berlin, GITEX EUROPE x Ai Everything 2025 is organised in partnership with the Berlin Senate Department for Economics, Energy and Public Enterprises, Germany’s Federal Ministry for Economic Affairs and Climate Action, Berlin Partner for Business and Technology, and the European Innovation Council (EIC).

Kai Wegner, Governing Mayor of Berlin: “The GITEX tech fair – which is taking place in Berlin for the very first time – brings founders from around the world, investors, and established companies together. As Germany’s startup capital, Berlin is the perfect place for GITEX. We want to create the best environment for founders in our city. Networking events and industry fairs like GITEX are part of that effort.”

Her Excellency (H.E.) Alia Al Mazrouei, the UAE Minister of State for Entrepreneurship: “Moving beyond economic diplomacy, the UAE is now championing entrepreneurial diplomacy, guided by our diligent efforts in fostering global partnerships to empower entrepreneurs in the country. GITEX EUROPE’s vision of bringing together SMEs, investors, accelerators, incubators and industry leaders to ignite innovation, foster collaboration, and drive growth aligns with the UAE’s aspirations to strengthen partnerships with Europe in entrepreneurship and digital economy.”

Clara Chappaz, the Minister of AI and Digital of France, commented on the development of AI: “When you were hear about Europe being a continent of regulation, this is the past. Today, Europe is all about innovation. More than ever, we have all the ingredients to succeed as Europeans building these amazing technologies when it comes to AI. The partnerships between France and Germany is extremely determined to accelerate Europe when it comes to innovation, and in particular when it comes to everything we can do on digital innovation.”

Thomas Jarzombek, Parliamentary State Secretary at the Federal Minister for Digital and State Modernization reiterated: “It’s a great opportunity here to connect startups and also for investment opportunities right now here in Berlin. We have to move forward, faster than we did in the past. Easy for you to do business in Germany, easy for every citizen to do everything with an app and to digitalize things you have in our pocket right now.”

Jan Kavalírek, Deputy Minister of Industry and Trade, Czech Republic: “One of our top priorities right now, is to create the best possible environment for AI researchers and to deploy artificial intelligence across all the industrial sector. This is the reason why we invest in AI heavily, both in software and in hardware infrastructure, and this is also the reason why we are glad to part of GITEX EUROPE.”

Franziska Giffey, Mayor of Berlin and Senator for Economic Affairs, Energy and Public Enterprises: “We have more than 5,000 startup enterprises here in Berlin, and of course we want to do more. We want to be the number one innovation place in Europe. Whenever you think about coming to the place of freedom, the place of possibilities, come to Berlin.”

Trixie LohMirmand, global organiser of GITEX: “As the world’s third largest economy, Germany’s market gravity and Europe’s openness create a powerful test-bed where capital, code and talent can cross-pollinate at speed, forging new collaborative forces across geographies and sectors. GITEX EUROPE proves that innovations can scale beyond borders, opening new markets and opportunities for Europe’s most ambitious companies.”

Spanning high impact showcases and talks covering AI, cybersecurity, deep tech, green tech, quantum computing, SMEs, and startup, scaleup and investments, GITEX EUROPE x Ai Everything offers unmatched opportunities to access new markets, breakthrough technologies, industry transformations and business insights.

Across the show floor, global tech enterprises including IBM, AWS, Bosch, Cisco, CrowdStrike, Dell, Fortinet, Lenovo, ManageEngine, NinjaOne, NVIDIA, and SAP, alongside over 750 startups from 60 countries, showcase how infrastructure, intelligence, and investment intersect to propel Europe’s digital future forward. From business leaders to AI architects, quantum researchers to CIOs, green tech innovators to global investors, the opening day’s gathering set the tone for decisive partnerships accelerating the continent’s AI and digital competitiveness.

The opening day conference programme was headlined by Dr. Geoffrey Hinton, Nobel Physics Laureate and ‘Godfather of AI’ with a riveting keynote on ‘AI for Humanity’s Greatest Challenges’. In April 2025, the United Arab Emirates and European Union delivered a joint statement to begin dialogue toward a Comprehensive Economic Partnership Agreement (CEPA) (3) aimed at strengthening bilateral trade and investment ties across key sectors such as AI, advanced manufacturing, healthcare and more.

GITEX EUROPE x Ai Everything leverages a powerful network of established relationships in tech, policy, investment and business spanning four regions and seven countries, with more new international editions in the wings. Currently the GITEX global network of events takes place in Abu Dhabi, Dubai, Germany, Morocco, Nigeria, Singapore, Thailand, and Vietnam.

(1) https://fastcompanyme.com/news/nvidia-and-abu-dhabis-mgx-join-french-partners-to-build-europes-largest-ai-campus/
(2) https://www.techrepublic.com/article/news-uae-us-ai-campus/
(3) https://www.wam.ae/en/article/bj3wkyv-uae-president-president-european-commission-agree

For more information, visit: www.gitex-europe.com.

About GITEX EUROPE x Ai Everything 2025

GITEX EUROPE x Ai Everything 2025, Europe’s most global, collaborative, and cross-industry tech event, taking place from May 21–23, 2025, at Messe Berlin, Germany. Convening over 1,400 exhibiting enterprises, SMEs and startups from 100-plus countries, alongside over 600 investors, and 500 expert speakers across AI, Deep Tech, Quantum, Cybersecurity, Connectivity, Smart Cities, Green Tech, and many more, GITEX EUROPE x Ai Everything is advancing the continent’s digital future in partnership with the world. This inaugural edition features the new SMEDEX, GITEX SCALEX, and GQX, and brings to Germany the world’s largest and best-rated startup and investor event – North Star Europe. GITEX EUROPE x Ai Everything is seamlessly connected with the GITEX network of tech and startup events in Germany, Morocco, Nigeria, Singapore, Thailand, UAE, and Vietnam. For more information, please visit: www.gitex-europe.com

MIL OSI – Submitted News –

May 22, 2025

MIL-OSI Russia: At a seminar on Eurasian relations, Chinese and German experts called for cooperation

Translation. Region: Russian Federal

Source: People’s Republic of China in Russian – People’s Republic of China in Russian –

Source: People’s Republic of China – State Council News

BEIJING, May 21 (Xinhua) — Experts from China and Germany called for cooperation to overcome global challenges in an unstable world at a seminar on China-Russia-Europe relations held in Beijing on Tuesday.

The current seminar, organized by the Institute of Russian, East European and Central Asian Studies of the Chinese Academy of Social Sciences (IRESCA AASS), took place in the year of the 50th anniversary of the establishment of diplomatic relations between China and the European Union.

In his opening remarks, Sun Zhuangzhi, Director of the IRECA AONK, noted that in the context of profound global changes unseen for a century, humanity once again found itself at a historical crossroads. Against this background, he stressed, academic discussions on relations between China, Russia and Europe have important practical significance.

Noting that China and Europe have many common interests, Sun said it is crucial to find the “biggest common denominator” for cooperation between the two sides, which is of particular significance both for maintaining security and stability on the Eurasian continent and for promoting prosperity and development worldwide.

Nadine Godehardt, Senior Research Fellow at the Asia Department of the Brussels branch of the German Institute for International and Security Affairs, noted that the world is experiencing new profound changes, and the geopolitical landscape in the Eurasian region is becoming increasingly complex.

As a result, N. Godehard continued, the European Union and the European integration process are creating a new momentum for reform, initiating a whole series of policy adjustments. She added that discussions between Chinese and European think tanks on the relations between China, Russia and Europe and on the situation in the Eurasian region are timely and important.

The seminar participants agreed that in the context of an unstable international situation, countries of the world should adhere to the principles of mutual success and common progress, work together to solve key global and regional problems, and jointly write a new chapter in international governance and multilateral cooperation.

The seminar was attended by experts and scholars from the German Institute for International and Security Affairs, the Bertelsmann Foundation, the Ruhr University Bochum, the AONK and the China Institute of Contemporary International Relations. –0–

MIL OSI Russia News –

May 22, 2025

MIL-OSI USA: Russian GRU Targeting Western Logistics Entities and Technology Companies

News In Brief – Source: US Computer Emergency Readiness Team

Executive Summary

This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.

This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.

The following authors and co-sealers are releasing this CSA:

United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst

Download the PDF version of this report:

Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)

For a downloadable list of IOCs, visit:

Introduction

For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions.
In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.

Description of Targets

The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:

Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services

In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].

The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].

The countries with targeted entities include the following, as illustrated in Figure 1:

Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States

Figure 1: Countries with Targeted Entities

Initial Access TTPs

To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):

The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]

Credential Guessing/Brute Force

Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].

Spearphishing

GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.

Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:

Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org

The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].

CVE Usage

Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].

Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.

Post-Compromise TTPs

After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].

The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:

C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit

Figure 2: Example Active Directory Domain Services command

Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].

Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]

After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].

After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:

sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.

In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.

Malware

Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:

HEADLACE [7]
MASEPIE [8]

While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.

Persistence

In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.

Exfiltration

GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.

The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.

Connections to Targeting of IP Cameras

In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.

The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.

DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0

CSeq: 1

Authorization: Basic

User-Agent: WebClient

Accept: application/sdp

DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0

CSeq: 2

Authorization: Digest username="admin", realm="[a-f0-9]{12}", algorithm="MD5", nonce="[a-f0-9]{32}", uri="", response="[a-f0-9]{32}"

User-Agent: WebClient

Accept: application/sdp

Figure 3: Example RTSP request

Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.

From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:

Table 1: Geographic distribution of targeted IP cameras
Country	Percentage of Total Attempts
Ukraine	81.0%
Romania	9.9%
Poland	4.0%
Hungary	2.8%
Slovakia	1.7%
Others	0.6%

Mitigation Actions

General Security Mitigations

Architecture and Configuration

Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
- Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
- Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
- Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
- Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
- Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
- Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.

Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].

*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com

Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.

Identity and Access Management

Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:

Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
- For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
- Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
- Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
- Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
- If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]

IP Camera Mitigations

The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:

Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.

Indicators of Compromise (IOCs)

Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.

Utilities and scripts

Legitimate utilities

Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:

ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry

Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.

Malicious scripts

Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”

Suspicious command lines

While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:

edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
ssh -Nf
schtasks /create /xml

Outlook CVE Exploitation IOCs

md-shoeb@alfathdoor[.]com[.]sa
jayam@wizzsolutions[.]com
accounts@regencyservice[.]in
m.salim@tsc-me[.]com
vikram.anand@4ginfosource[.]com
mdelafuente@ukwwfze[.]com
sarah@cosmicgold469[.]co[.]za
franch1.lanka@bplanka[.]com
commerical@vanadrink[.]com
maint@goldenloaduae[.]com
karina@bhpcapital[.]com
tv@coastalareabank[.]com
ashoke.kumar@hbclife[.]in
213[.]32[.]252[.]221
124[.]168[.]91[.]178
194[.]126[.]178[.]8
159[.]196[.]128[.]120

Commonly Used Webmail Providers

portugalmail[.]pt
mail-online[.]dk
email[.]cz
seznam[.]cz

Malicious Archive Filenames Involving CVE-2023-38831

calc.war.zip
news_week_6.zip
Roadmap.zip
SEDE-PV-2023-10-09-1_EN.zip
war.zip
Zeyilname.zip

Brute Forcing IP Addresses

Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.

June 2024	July 2024	August 2024
192[.]162[.]174[.]94	207[.]244[.]71[.]84	31[.]135[.]199[.]145	79[.]184[.]25[.]198	91[.]149[.]253[.]204
103[.]97[.]203[.]29	162[.]210[.]194[.]2	31[.]42[.]4[.]138	79[.]185[.]5[.]142	91[.]149[.]254[.]75
209[.]14[.]71[.]127		46[.]112[.]70[.]252	83[.]10[.]46[.]174	91[.]149[.]255[.]122
109[.]95[.]151[.]207		46[.]248[.]185[.]236	83[.]168[.]66[.]145	91[.]149[.]255[.]19
		64[.]176[.]67[.]117	83[.]168[.]78[.]27	91[.]149[.]255[.]195
		64[.]176[.]69[.]196	83[.]168[.]78[.]31	91[.]221[.]88[.]76
		64[.]176[.]70[.]18	83[.]168[.]78[.]55	93[.]105[.]185[.]139
		64[.]176[.]70[.]238	83[.]23[.]130[.]49	95[.]215[.]76[.]209
		64[.]176[.]71[.]201	83[.]29[.]138[.]115	138[.]199[.]59[.]43
		70[.]34[.]242[.]220	89[.]64[.]70[.]69	147[.]135[.]209[.]245
		70[.]34[.]243[.]226	90[.]156[.]4[.]204	178[.]235[.]191[.]182
		70[.]34[.]244[.]100	91[.]149[.]202[.]215	178[.]37[.]97[.]243
		70[.]34[.]245[.]215	91[.]149[.]203[.]73	185[.]234[.]235[.]69
		70[.]34[.]252[.]168	91[.]149[.]219[.]158	192[.]162[.]174[.]67
		70[.]34[.]252[.]186	91[.]149[.]219[.]23	194[.]187[.]180[.]20
		70[.]34[.]252[.]222	91[.]149[.]223[.]130	212[.]127[.]78[.]170
		70[.]34[.]253[.]13	91[.]149[.]253[.]118	213[.]134[.]184[.]167
		70[.]34[.]253[.]247	91[.]149[.]253[.]198
		70[.]34[.]254[.]245	91[.]149[.]253[.]20

Detections

Customized NTLM listener

rule APT28_NTLM_LISTENER {

meta:

description = "Detects NTLM listeners including APT28's custom one"

strings:

$command_1 = "start-process powershell.exe -WindowStyle hidden"

$command_2 = "New-Object System.Net.HttpListener"

$command_3 = "Prefixes.Add('http://localhost:8080/')"

$command_4 = "-match 'Authorization'"

$command_5 = "GetValues('Authorization')"

$command_6 = "Request.RemoteEndPoint.Address.IPAddressToString"

$command_7 = "@(0x4e,0x54,0x4c,0x4d, 0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x28,0x00,0x00,0x01,0x82,0x00,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)"

$command_8 = ".AllKeys"

$variable_1 = "$NTLMAuthentication" nocase

$variable_2 = "$NTLMType2" nocase

$variable_3 = "$listener" nocase

$variable_4 = "$hostip" nocase

$variable_5 = "$request" nocase

$variable_6 = "$ntlmt2" nocase

$variable_7 = "$NTLMType2Response" nocase

$variable_8 = "$buffer" nocase

condition:

5 of ($command_*)

or

all of ($variable_*)

}

HEADLACE shortcut

rule APT28_HEADLACE_SHORTCUT {

meta:

description = "Detects the HEADLACE backdoor shortcut dropper. Rule is meant for threat hunting."

strings:

$type = "[InternetShortcut]" ascii nocase

$url = "file://"

$edge = "msedge.exe"

$icon = "IconFile"

condition:

all of them

}

HEADLACE credential dialogbox phishing

rule APT28_HEADLACE_CREDENTIALDIALOG {

meta:

description = "Detects scripts used by APT28 to lure user into entering credentials"

strings:

$command_1 = "while($true)"

$command_2 = "Get-Credential $(whoami)"

$command_3 = "Add-Content"

$command_4 = ".UserName"

$command_5 = ".GetNetworkCredential().Password"

$command_6 = "GetNetworkCredential().Password.Length -ne 0"

condition:

5 of them

}

HEADLACE core script

rule APT28_HEADLACE_CORE {

meta:

description = "Detects HEADLACE core batch scripts"

strings:

$chcp = "chcp 65001" ascii

$headless = "start "" msedge --headless=new --disable-gpu" ascii

$command_1 = "taskkill /im msedge.exe /f" ascii

$command_2 = "whoami>"%programdata%" ascii

$command_3 = "timeout" ascii

$command_4 = "copy "%programdata%" ascii

$non_generic_del_1 = "del /q /f "%programdata%" ascii

$non_generic_del_3 = "del /q /f "%userprofile%Downloads" ascii

$generic_del = "del /q /f" ascii

condition:

(

$chcp

and

$headless

)

and

(

1 of ($non_generic_del_*)

or

($generic_del)

or

3 of ($command_*)

)

}

MASEPIE

rule APT28_MASEPIE {

meta:

description = "Detects MASEPIE python script"

strings:

$masepie_unique_1 = "os.popen('whoami').read()"

$masepie_unique_2 = "elif message == 'check'"

$masepie_unique_3 = "elif message == 'send_file':"

$masepie_unique_4 = "elif message == 'get_file'"

$masepie_unique_5 = "enc_mes('ok'"

$masepie_unique_6 = "Bad command!'.encode('ascii'"

$masepie_unique_7 = "{user}{SEPARATOR}{k}"

$masepie_unique_8 = "raise Exception("Reconnect"

condition:

3 of ($masepie_unique_*)

}

STEELHOOK

rule APT28_STEELHOOK {

meta:

description = "Detects APT28's STEELHOOK powershell script"

strings:

$s_1 = "$($env:LOCALAPPDATAGoogleChromeUser DataLocal State)"

$s_2 = "$($env:LOCALAPPDATAGoogleChromeUser DataDefaultLogin Data)"

$s_3 = "$($env:LOCALAPPDATAMicrosoftEdgeUser DataLocal State)"

$s_4 = "$($env:LOCALAPPDATAMicrosoftEdgeUser DataDefaultLogin Data)"

$s_5 = "os_crypt.encrypted_key"

$s_6 = "System.Security.Cryptography.DataProtectionScope"

$s_7 = "[system.security.cryptography.protectdata]::Unprotect"

$s_8 = "Invoke-RestMethod"

condition:

all of them

}

PSEXEC

rule GENERIC_PSEXEC {

meta:

description = "Detects SysInternals PSEXEC executable"

strings:

$sysinternals_1 = "SYSINTERNALS SOFTWARE LICENCE TERMS"

$sysinternals_2 = "/accepteula"

$sysinternals_3 = "SoftwareSysinternals"

$network_1 = "%sIPC$"

$network_2 = "%sADMIN$%s"

$network_3 = "DeviceLanmanRedirector%sipc$"

$psexec_1 = "PSEXESVC"

$psexec_2 = "PSEXEC-{}-"

$psexec_3 = "Copying %s to %s..."

$psexec_4 = "gPSINFSVC"

condition:

(

( uint16( 0x0 ) ==0x5a4d )

and

( uint16( uint32( 0x3c )) == 0x4550 )

)

and

filesize < 1024KB

and

(

( any of ($sysinternals_*) and any of ($psexec_*) )

or

( 2 of ($network_*) and 2 of ($psexec_*))

)

}

The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:

APT28 [14]
Fancy Bear [14]
Forest Blizzard [14]
Blue Delta [15]

Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.

Further Reference

To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.

For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule:
https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar

Works Cited

[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/
[2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF
[3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
[4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/
[5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/
[6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/
[7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/
[8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894
[9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF
[10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF
[11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html
[12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF
[13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF

[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
[15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

United States organizations

National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
- U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)

United Kingdom organizations

Germany organizations

Czech Republic organizations

Poland organizations

Australian organizations

Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.

Canadian organizations

Estonia organizations

French organizations

French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.

See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.

Table 2: Reconnaissance
Tactic/Technique Title	ID	Use
Reconnaissance	TA0043	Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management.
Gather Victim Identity Information: Email Addresses	T1589.002	Conducted contact information reconnaissance to identify additional targets in key positions.
Gather Victim Org Information	T1591	Conducted reconnaissance of the cybersecurity department.
Gather Victim Org Information: Identify Roles	T1591.004	Conducted reconnaissance of individuals responsible for coordinating transport.
Gather Victim Org Information: Business Relationships	T1591.002	Conducted reconnaissance of other companies cooperating with the victim entity.
Gather Victim Host Information	T1592	Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras.

Table 3: Resource development
Tactic/Technique Title	ID	Use
Compromise Accounts: Email Accounts	T1586.002	Sent phishing emails using compromised accounts.
Compromise Accounts: Cloud Accounts	T1586.003	Sent phishing emails using compromised accounts.

Table 4: Initial Access
Tactic/Technique Title	ID	Use
Trusted Relationship	T1199	Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Phishing	T1566	Used spearphishing for credentials and delivering malware to gain initial access to targeted entities.
Phishing: Spearphishing Attachment	T1566.001	Sent emails with malicious attachments.
Phishing: Spearphishing Link	T1566.002	Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive.
Phishing: Spearphishing Voice	T1566.004	Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.
External Remote Services	T1133	Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities.
Exploit Public-Facing Application	T1190	Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities.
Content Injection	T1659	Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive.

Table 5: Execution
Tactic/Technique Title	ID	Use
User Execution: Malicious Link	T1204.001	Used malicious links to hosted shortcuts in spearphishing.
User Execution: Malicious File	T1204.002	Delivered malware executables via spearphishing.
Scheduled Task/Job: Scheduled Task	T1053.005	Used scheduled tasks to establish persistence.
Command and Scripting Interpreter	T1059	Delivered scripts in spearphishing. Executed arbitrary shell commands.
Command and Scripting Interpreter: PowerShell	T1059.001	PowerShell commands were often used to prepare data for exfiltration.
Command and Scripting Interpreter: Windows Command Shell	T1059.003	Used BAT script in spearphishing.
Command and Scripting Interpreter: Visual Basic	T1059.005	Used VBScript in spearphishing.
Command and Scripting Interpreter: Python	T1059.006	Installed python on infected machines to enable the execution of Certipy.

Table 6: Persistence
Tactic/Technique Title	ID	Use
Account Manipulation: Additional Email Delegate Permissions	T1098.002	Used manipulation of mailbox permissions to establish sustained email collection.
Modify Authentication Process: Multi-Factor Authentication	T1556.006	Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access.
Hijack Execution Flow: DLL Search Order Hijacking	T1574.001	Used DLL search order hijacking to facilitate malware execution.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547.001	Used run keys to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification	T1547.009	Placed malicious shortcuts in the startup folder to establish persistence.

Table 7: Defense Evasion
Tactic/Technique Title	ID	Use
Indicator Removal: Clear Windows Event Logs	T1070.001	Deleted event logs through the wevtutil utility.

Table 8: Credential access
Tactic/Technique Title	ID	Use
Brute Force		Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Brute Force: Password Guessing	T1110.001	Used credential guessing to gain initial access to targeted entities.
Brute Force: Password Spraying	T1110.003	Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP.
Multi-Factor Authentication Interception		Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns.
Input Capture		Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns.
Forced Authentication		Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations.
OS Credential Dumping: NTDS	T1003.003	Attempted to dump Active Directory NTDS.dit domain databases.
Unsecured Credentials: Group Policy Preferences	T1552.006	Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py.

Table 9: Discovery
Tactic/Technique Title	ID	Use
Account Discovery: Domain Account	T1087.002	Used a modified ldap-dump.py to enumerate the Windows environment.

Table 10: Command and Control
Tactic/Technique Title	ID	Use
Hide Infrastructure	T1665	Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
Proxy: External Proxy	T1090.002	Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers.
Proxy: Multi-hop Proxy	T1090.003	Used Tor and commercial VPNs as part of their anonymization infrastructure
Encrypted Channel	T1573	Connected to victim infrastructure using encrypted TLS.
Multi-Stage Channels	T1104	Used multi-stage redirectors for campaigns.

Table 11: Defense evasion (mobile framework)
Tactic/Technique Title	ID	Use
Execution Guardrails		Used multi-stage redirectors to verify browser fingerprints in some campaigns.
Execution Guardrails: Geofencing	T1627.001	Used multi-stage redirectors to verify IP-geolocation in some campaigns.

Table 12: Lateral movement
Tactic/Technique Title	ID	Use
Lateral Movement		Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment.
Remote Services: Remote Desktop Protocol	T1021.001	Moved laterally within the network using RDP.

Table 13: Collection
Tactic/Technique Title	ID	Use
Email Collection		Retrieved sensitive data from email servers.
Email Collection: Remote Email Collection	T1114.002	Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers.
Automated Collection		Used periodic EWS queries to collect new emails.
Video Capture		Attempted to gain access to the cameras’ feeds.
Archive Collected Data		Accessed files were archived in .zip files prior to exfiltration.
Archive Collected Data: Archive via Utility	T1560.001	Prepared zip archives for upload to the actors’ infrastructure.

Table 14: Exfiltration
Tactic/Technique Title	ID	Use
Exfiltration Over Alternative Protocol		Attempted to exfiltrate archived data via a previously dropped OpenSSH binary.
Scheduled Transfer		Used periodic EWS queries to collect new emails sent and received since the last data exfiltration.

Appendix B: CVEs exploited

Table 15: Exploited CVE information
CVE	Vendor/Product	Details
CVE-2023-38831	RARLAB WinRAR	Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
CVE-2023-23397	Microsoft Outlook	External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
CVE-2021-44026	Roundcube Webmail	Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params.
CVE-2020-35730	Roundcube Webmail	An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-12641	Roundcube Webmail	Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.

Appendix C: MITRE D3FEND Countermeasures

Table 16: MITRE D3FEND countermeasures
Countermeasure Title	ID	Details
Network Isolation		Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation		Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering		Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis		Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering		Block NTLM/SMB requests to external infrastructure.
Platform Monitoring		Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis		Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening		Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation		Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting		Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation		Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening		Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis		Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis		Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation		Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
DNS Denylisting	D3-DNSDL	Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis		Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication		Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Job Function Access Pattern Analysis	D3-JFAPA	Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions		Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication		Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening		Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding		Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy		Use a service to check for compromised passwords before using them.
Credential Rotation		Change all default credentials.
Encrypted Tunnels		Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update		Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication		Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis		Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.

MIL OSI USA News -

May 22, 2025

MIL-OSI: BAWAG Group: Moody’s affirms ratings and changes outlook from stable to positive

Source: GlobeNewswire (MIL-OSI)

VIENNA, Austria – May 21, 2025 – Today, Moody’s announced that it affirms the ratings of BAWAG P.S.K. and changed the outlook on the long-term deposit, senior unsecured, and long-term issuer ratings from stable to positive.

The positive outlook is a reflection of our to-be integrated recent acquisitions which show a steady business performance and could result in a sustainably improved financial profile.

The release of Moody’s is available on our website https://www.bawaggroup.com.

David O’Leary, Chief Risk Officer of BAWAG Group, commented: “The change to a positive outlook is a testament to our strategy focused on sustainable growth, efficiency and maintaining a safe and secure balance sheet. While our strategy has been unchanged since 2012, with the recent acquisitions, our business profile with focus on DACH/NL region as well as Retail & SME had been enhanced. The improved outlook highlights the resilience and stability of our business, with increased profitability after our acquisitions.”

About BAWAG Group
BAWAG Group AG is a publicly listed holding company headquartered in Vienna, Austria, serving our over 4 million retail, small business, corporate, real estate and public sector customers across Austria, Germany, Switzerland, Netherlands, Ireland, the United Kingdom, and the United States. The Group operates under various brands and across multiple channels offering comprehensive savings, payment, lending, leasing, investment, building society, factoring and insurance products and services. Our goal is to deliver simple, transparent, and affordable financial products and services that our customers need.

BAWAG Group’s Investor Relations website https://www.bawaggroup.com/ir contains further information, including financial and other information for investors.

Forward-looking statement
This release contains “forward-looking statements” regarding the financial condition, results of operations, business plans and future performance of BAWAG Group. Words such as “anticipates,” “believes,” “estimates,” “expects,” “forecasts,” “intends,” “plans,” “projects,” “may,” “will,” “should,” “would,” “could” and other similar expressions are intended to identify these forward-looking statements. These forward-looking statements reflect management’s expectations as of the date hereof and are subject to risks and uncertainties that may cause actual results to differ materially from those projected. These risks and uncertainties include, but are not limited to, economic conditions, the regulatory environment, loan concentrations, vendors, employees, technology, competition, and interest rates. Readers are cautioned not to place undue reliance on the forward-looking statements as actual results may differ materially from the results predicted. Neither BAWAG Group nor any of its affiliates, advisors or representatives shall have any liability whatsoever (in negligence or otherwise) for any loss howsoever arising from any use of this report or its content or otherwise arising in connection with this document. This report does not constitute an offer or invitation to purchase or subscribe for any securities and neither it nor any part of it shall form the basis of or be relied upon in connection with any contract or commitment whatsoever. This statement is included for the express purpose of invoking “safe harbor provisions”.

Financial Community:
Jutta Wimmer (Head of Investor Relations)
Tel: +43 (0) 5 99 05-22474

IR Hotline: +43 (0) 5 99 05-34444
E-mail: investor.relations@bawaggroup.com

Media:
Manfred Rapolter (Head of Corporate Communications & Social Engagement)
Tel: +43 (0) 5 99 05-31210
E-mail: communications@bawaggroup.com

This text can also be downloaded from our website: https://www.bawaggroup.com

The MIL Network –

May 22, 2025

MIL-OSI Global: How outdoor sports can support youth as they navigate climate change

Source: The Conversation – Canada – By Brett Tomlinson, Adjunct Professor, Faculty of Educaiton, Nipissing University

As climate change continues to impact the way we interact with our planet, it’s critical to consider ways we can encourage youth to participate in climate action initiatives.

Young people across Canada are feeling frightened about the future of the planet. A Canadian study published in 2023 surveyed 1,000 young participants on their feelings about climate change. Sixty-six per cent of respondents said they felt anxiousness or hopelessness about climate change, while 78 per cent said it impacts their overall mental health.

There are a number of ways to approach this overwhelming emotion, considering it could result not only in poor quality of life for youth but also continued inaction for the planet.

My research in outdoor physical education leads me to consider more positive behaviour for youth in association to climate change that could likely benefit youth and the planet. The challenge is finding opportunities to develop pro-environmental behaviours and environmental stewardship with Canadian youth.

It’s about more than time outdoors

When looking to develop pro-environmental behaviours, one way could be to simply encourage more time outdoors. But research from Germany suggests that just interacting with nature is not enough; rather, young people need to find ways to engage with nature and use the natural landscape to develop an emotional connection with the environment.

According to the German study, certain sports can lead to more environmentally sustainable attitudes and behaviours from participants. Some sports in particular — like cross-country skiing, mountain biking or triathlon — increase those positive behaviours more than others. This isn’t simply because participants are alone within a natural setting; it’s because the focus of the sport is on the natural landscape.

To explain a bit further, soccer, for example, is typically played outside but often on a manicured, sometimes artificial, field that is in many ways devoid of any natural influence.

Alternatively, mountain biking requires participants to ride on trails that take them directly through forested areas or spaces that are selected based on their unique natural landscape. As athletes participate in sports more frequently and spend more time within nature, they then develop a stronger emotional connection to the space they’re in. This leads to pro-environmental behaviours and attitudes, which can then generate environmental stewardship.

Rock climbing

Within rock climbing groups and organizations, there is evidence suggesting members frequently participate in beneficial environmental stewardship projects. Outdoor rock-climbing groups typically manage spaces — sometimes privately owned, but frequently under government jurisdiction in provincial or national parks — to ensure safe and responsible climbing practices. Climbers rely on ropes, equipment and bolts to ensure safety as they’re climbing.

But another obvious factor is the rock face they climb. The connection to rock and the climbing routes over those rock faces help foster a sense of environmental stewardship within climbers. Similar to mountain biking, the process starts with an introduction to the sport, but slowly develops into more care and attention paid to the natural spaces where climbers practise their activity.

One American study indicates that rock climbing organizations often find opportunities to clean up the areas where they climb, and also look to maintain the natural features of that space.

The research finds that for climbers, the challenge is to maintain natural spaces and keep the rock as pristine as possible. This also extends to conservation efforts to ensure that space maintains its use for climbing as opposed to turning it into a more urban or commercialized area.

The joy that participants received from the sport of climbing initiated this environmental stewardship and maintained progressive action in local environmental initiatives.

Element of physical risk

One thing to note is that climbing and mountain biking do involve an element of physical risk.

Doing some research on these sports can help youth assess risks alongside what can be gained from participating. But it’s also important to acknowledge that encouraging young people to foster deeper connections to nature as opposed to having simple interactions with outdoor spaces doesn’t mean they have to cycle down a mountain or climb a massive rock wall.

Risk cannot be completely eliminated from outdoor sports and recreation, but there can be great social and personal benefit from participating in these types of activities.

Instead of a high-risk sport, educators and outdoor leaders can influence participants with simpler actions. I am aware of outings involving outdoor hikes, or taking time at night to gaze at the stars and listen to the sounds of nature, that have sparked in young people an interest in outdoor spaces — and caring for them.

Such experiences can then lead young people to continue to explore outdoor adventure and sport, that can , significantly, foster an appreciation of natural settings through direct interaction as well as a positive sense of community. This can be a starting point to help alleviate feelings of hopelessness to climate change.

Addressing potential harms, amplifying benefits

Despite the benefits of participating in outdoor sports, there is a need to acknowledge that participation can have some negative impact on the environment.

For example, interaction with nature through sport can impact natural habitats and has the potential to alter behavioural patterns of animals. Furthermore, there is a risk of erosion of natural spaces, as well as the slim potential for the movement of invasive species.

This being said, it’s critical to consider what we can gain from supporting youth to participate in outdoor sport and education when such activities are planned with attentiveness and care.

Brett Tomlinson does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.

– ref. How outdoor sports can support youth as they navigate climate change – https://theconversation.com/how-outdoor-sports-can-support-youth-as-they-navigate-climate-change-256643

MIL OSI – Global Reports –

May 22, 2025

MIL-OSI USA: MEDIA ADVISORY: Sanders to Call on Republicans to Support Trump, Lower Prescription Drug Prices

US Senate News:

Source: United States Senator for Vermont – Bernie Sanders
WASHINGTON, May 21 – After President Trump issued a vague executive order claiming to slash drug costs by linking them to international prices, Sen. Bernie Sanders (I-Vt.), Ranking Member of the Senate Committee on Health, Education, Labor, and Pensions (HELP), today announced he would ask for unanimous consent on the Senate floor to pass legislation that would actually do just that by ensuring Americans pay no more than people in other countries for the exact same prescription drug, forcing anyone who opposes actually lowering drug prices to rise in opposition.
On May 5, 2025, President Trump issued an executive order entitled “Delivering Most-Favored-Nation Prescription Drug Pricing to American Patients.” In that order, he proposes a “a rulemaking plan to impose most-favored-nation pricing” but does not cite specific legislative authority. As a result, the executive order will be blocked by the courts. Congressional action is needed.
The Prescription Drug Price Relief Act will put an end to the greed of the pharmaceutical industry and help save lives by lowering drug prices. This legislation would ensure Americans do not pay more for prescription drugs than the median price paid in Canada, the United Kingdom, France, Germany and Japan.
Details:
What: Sen. Sanders floor speech calling for unanimous consent to pass legislation to make sure Americans pay no more than people in other countries for prescription drugs
When: Wednesday, May 21, 2025 at 3:00 p.m. ET
Where: Senate floor. His remarks will also be livestreamed on Sanders’ social media.

MIL OSI USA News –

May 22, 2025

MIL-OSI Global: Continuing to seek Chinese investment in the UK comes at a heavy political price

Source: The Conversation – UK – By Jeffrey Henderson, Professor Emeritus of International Development, University of Bristol

Steel blast furnaces in Scunthorpe, UK. Baxter Media/Shutterstock

One major consequence of the UK government’s resistance to rejoining the European single market is that it is forced to go around the world seeking trade deals and investment.

Recently, the government has boasted of successful arrangements with India, the US, and some new agreements with the EU. But it has also found itself courting one highly dubious suitor.

Since the chancellor of the exchequer, Rachel Reeves, went to Beijing in January 2025, the government has been focusing much of its attention on China. And while investment from the world’s second-largest economy is fairly unproblematic in a few sectors (some services and domestic real estate, for example), other areas are a cause for concern.

Relying on Chinese money to support key sectors such as steel, telecommunications, advanced electronics, power and transport – all vital for Britain’s economic and geopolitical security – is potentially dangerous.

Get your news from actual experts, straight to your inbox. Sign up to our daily newsletter to receive all The Conversation UK’s latest coverage of news and research, from politics and business to the arts and sciences.

Yet it has been going on for years. Efforts to secure funding by a previous Conservative government even allowed state-owned Chinese companies to invest in the UK’s nuclear future, despite considerable criticism from the likes of MI5 and the British military.

Then there was the 2017 acquisition by a Chinese state-backed private equity firm of cutting-edge semi-conductor company, Imagination Technologies. Subsequent concerns over the leaking of its intellectual property prompted a parliamentary enquiry into foreign corporate asset-stripping.

British Steel was also a target. Sold in 2019, it is now owned by a private company, Jingye, which in April 2025 moved to shut down operations at its Scunthorpe site by not supplying the raw materials required for its blast furnaces.

In response, the UK government took emergency control of production in a scramble to stop the furnaces from going cold.

That incident should have served as an urgent reminder to the government that it needs to be wary of the effect Chinese companies can have on the UK.

Early signs, however, are not reassuring. Business secretary Jonathan Reynolds commented that Jingye was not acting in the “rational way” he would expect of a company in a market economy.

But the government should know that when it comes to strategic decision-making, Chinese companies do not operate in ways that others consider rational. Put simply, they are not comparable to their equivalents in Britain or other liberal-market economies – because they are effectively controlled by the Chinese Communist Party (CCP).

According to the CCP’s data, by 2017 it had established a formal presence inside 92% of larger private companies and 73% of all private companies in China. Those figures will certainly be higher now. And, as with the digital-technology firm Huawei, senior CCP members are often on a company’s boards of directors.

So, while Jingye almost eliminated British Steel as a viable company, it can be reasonably assumed that a decision of such strategic and geopolitical importance would not have been taken by Jingye’s executives alone. They would have been “guided” by the CCP.

Influence and infrastructure

And of course, it’s not just steel production the UK should be concerned about. Chinese ownership now extends across many vital sectors.

There’s the Chinese state-owned company, Beijing Construction Engineering helping to build a new science and innovation park next to Manchester airport. And the private Hong Kong company, CK Infrastructure which owns water companies serving north-east England, Essex and Suffolk.

China Investment Corporation (state-owned) owns part of Heathrow, while China Huaneng (state-owned) operates Europe’s largest battery storage facility in Wiltshire. Meanwhile, wind turbine producer Mingyang (privately owned and reputedly linked to the Chinese military) is the preferred bidder for a new Scottish wind farm, despite being barred from a similar Norwegian development.

All of these companies, irrespective of formal ownership, are likely to be subject to varying degrees of CCP influence and control (comment on the issue from Chinese companies is rare). And successive UK governments have either failed to appreciate the implications of this, or have accepted it as the price of gaining greater access to the Chinese market – especially for London’s financial sector.

This was almost certainly a factor behind China’s involvement in the building of Hinkley Point’s new nuclear power station, and was at the forefront in Rachel Reeves’s discussions with the Chinese government earlier this year.

Separately, Chinese investment in non-strategic sectors is much less controversial. One private conglomerate (Fosun) owns the Premier League side Wolverhampton Wanderers and formerly owned Thomas Cook.

But the lesson from the British Steel fiasco is clear. We are now in a world where the political interests of major states trump the economic interests of their business corporations. Geopolitics takes precedence over geoeconomics.

Consequently, Chinese firms – regardless of ownership status – should be barred from industries vital to the UK’s economic and political security. Anything less risks subordinating British interests to those of the Chinese Communist Party.

Funding from European Cooperation in Science and Technology (COST), for the China in Europe Research Network, contributed to the research on which this article is based.

– ref. Continuing to seek Chinese investment in the UK comes at a heavy political price – https://theconversation.com/continuing-to-seek-chinese-investment-in-the-uk-comes-at-a-heavy-political-price-255340

MIL OSI – Global Reports –

May 22, 2025

MIL-OSI China: MOFA sincerely appreciates international support for Taiwan’s bid to participate in WHO and WHA

Source: Republic of Taiwan – Ministry of Foreign Affairs

May 19, 2025

No. 163

The 78th World Health Assembly (WHA) is opening in Geneva on May 19. Following proactive efforts by the Ministry of Foreign Affairs (MOFA) and related overseas missions, Taiwan’s bid to participate in the WHA has received staunch and concrete support from the Group of Seven (G7), the executive and legislative branches of government of more than 50 countries, the European Union, the European Parliament, and representative offices of like-minded nations in Taiwan. MOFA expresses sincere appreciation for this support.

Eleven of Taiwan’s diplomatic allies, as members of the World Health Organization (WHO), submitted a proposal to the WHO Secretariat to invite Taiwan to participate in the WHA as an observer, requesting that the proposal be included as a supplementary item on this year’s WHA agenda. Saint Lucia Prime Minister Philip J. Pierre personally wrote a letter urging WHO Director-General Tedros Adhanom Ghebreyesus to invite Taiwan to attend the WHA. The parliaments of Guatemala, Palau, and Saint Christopher and Nevis adopted resolutions backing Taiwan.

The magnitude of support for Taiwan from like-minded countries has continued to grow. The current US administration has publicly endorsed Taiwan’s international participation more than 10 times. This includes a joint statement issued at the US-Japan leaders’ summit by President Donald Trump and Prime Minister Shigeru Ishiba in February, which for the first time contained text advocating Taiwan’s meaningful involvement in international organizations. US Secretary of State Marco Rubio reaffirmed firm US support for Taiwan’s international participation during his congressional confirmation hearing as well as in interviews and joint statements issued at two meetings with the foreign ministers of Japan and the Republic of Korea. The United States twice spoke up for Taiwan at the WHO Executive Board session held in February. In April, it publicly refuted China’s misuse of United Nations General Assembly (UNGA) Resolution 2758 at the UN Security Council for the first time, reiterating that the resolution did not preclude Taiwan’s participation in the UN system or other multilateral fora. In terms of US congressional support, the House of Representatives passed the Taiwan International Solidarity Act without opposition on May 5. The act urged the US government to resist China’s efforts to suppress Taiwan through mischaracterization of UNGA Resolution 2758. In addition, nine US state legislatures approved resolutions backing Taiwan’s involvement in international organizations.

Furthermore, in a joint statement issued following a meeting in March, the G7 foreign ministers reaffirmed support for Taiwan’s meaningful participation in international organizations. On May 15, the European Union expressed a similar stance and recognized the extraordinary contributions Taiwan can make through its digital healthcare capabilities. In February, the European Parliament overwhelmingly adopted a resolution on the implementation of the EU Common Foreign and Security Policy, which backed Taiwan’s meaningful participation in relevant world bodies.

High-ranking European officials who publicly spoke up for Taiwan included Italian Deputy Prime Minister and Minister of Foreign Affairs Antonio Tajani, Irish Deputy Prime Minister and Minister for Foreign Affairs and Trade Simon Harris, Australian Minister for Foreign Affairs Penny Wong, Swedish Minister for Foreign Affairs Maria Malmer Stenergard, and Swedish Minister for Social Affairs and Public Health Jakob Forssmed. A total of 534 members of the European Parliament and 29 national parliaments across Europe cosigned a letter of the Formosa Club reaffirming support for Taiwan. The World Medical Association and other professional groups endorsed Taiwan’s participation in WHO and the WHA as they had done in the past.

MOFA thanks the representative offices in Taiwan of the United Kingdom, France, Australia, Canada, the Czech Republic, Germany, Japan, and Lithuania for issuing a joint statement for the fifth year prior to the WHA affirming the immense benefits that Taiwan could bring to WHA discussions. The statement also emphasized that there was no legitimate reason for Taiwan’s exclusion from the WHA and that Taiwan’s absence would undermine the spirit of inclusive global public health cooperation and safety that WHO’s founding documents called for.

MOFA points out that these positive developments fully demonstrate that China’s unreasonable obstruction of Taiwan’s participation in WHO has gained little traction or support among nations worldwide. MOFA reiterates that UNGA Resolution 2758 and WHA Resolution 25.1 make no mention of Taiwan, have nothing to do with Taiwan, and therefore cannot be cited as a legal basis for precluding Taiwan from participating in WHO or other international organizations or multilateral mechanisms or fora. MOFA asks that the WHO Secretariat listen closely to member countries, stop further condoning political manipulation by China, and instead work to realize WHO’s goals of “Leaving No One Behind” and “One World for Health” so as to fulfill its responsibility to maintain and improve the health and well-being of all people. MOFA also asks that Taiwan be allowed full and unobstructed participation in all WHO meetings, mechanisms, and activities, including the WHA. (E)

MIL OSI China News –

May 22, 2025

MIL-OSI USA: Jayapal, Sanders, Colleagues Introduce Bill to Make Public Colleges and Universities Tuition Free

Source: United States House of Representatives – Congresswoman Pramila Jayapal (7th District of Washington)

WASHINGTON, DC – As President Trump and congressional Republicans are working overtime to make college unaffordable and unattainable for millions of working-class families in order to provide tax breaks to billionaires, Rep. Pramila Jayapal (D-Wash.) and Sen. Bernie Sanders (I-Vt.), Ranking Member of the Senate Committee on Health, Education, Labor, and Pensions (HELP), today introduced legislation to make public colleges and universities tuition free for 95% of students. The College for All Act would be the most transformative investment in higher education in 60 years and would substantially improve the lives of millions of students throughout the United States.

“Congress can and must ensure that working families never have to take out crushing loans to purse an education,” said Jayapal. “The College for All Act will free students from a lifetime of debt, invest in working people, and transform higher education across America by making a degree more accessible to poor and working families across this country. This is more important now than ever as Trump continues to attack education in this country through attempts to strip funding from universities and to dismantle the Department of Education.”

“In a highly competitive global economy where technology is changing the very nature of work and the jobs we perform, we need the best educated workforce in the world,” said Sanders. “Our nation used to lead the world in the percentage of adults with a college degree. Today, we are in 11th place behind countries like Japan, South Korea, Canada, the United Kingdom and Switzerland. That is not a prescription for a strong American economy of the future. It is a prescription for failure. Instead of increasing the cost of college in order to give more tax breaks to billionaires, we have a better idea. We are going to make public colleges and universities tuition free so that working class students can succeed and are not burdened with a lifetime of debt.”

Making public colleges and universities tuition free is not a radical idea. In 1944, as World War II was coming to an end, the U.S. government made free higher education available to all those who served in the armed forces. That act not only improved the financial well-being of the Greatest Generation, but it also laid the groundwork for the greatest expansion of the American middle class in U.S history. Moreover, over 50 years ago, many of our most prestigious public colleges and universities were also tuition free or virtually tuition free.

Since this legislation was first introduced ten years ago, several colleges and universities in America have provided free tuition for working class and middle class students including every state college in New Mexico, the State University of New York, the University of Texas, the University of Wisconsin, and Arkansas State University.

Other wealthy countries like France, Germany, Denmark, Sweden, Norway and Finland have made their public colleges and universities tuition free or virtually tuition free because they understand the value of investing in their young people.

The College for All Act would guarantee tuition-free community college for all students and allow students from single households earning up to $150,000 a year, and married households earning up to $300,000 a year, to attend college without fear of being saddled with student loan debt.

The College for All Act would also:

Double the maximum Pell Grant award for students enrolled at public and private non-profit colleges;
Establish a $10 billion grant program to improve student outcomes and address equity gaps at underfunded public colleges and universities;
Triple federal TRIO program funding;
Double GEAR UP funding; and
Double mandatory funding for Historically Black Colleges and Universities, Tribal Colleges and Universities (HBCUs), and other Minority-Serving Institutions (MSIs).

Read the bill text here.

Read a summary of the bill here.

Issues: Arts & Education

MIL OSI USA News –

May 22, 2025

MIL-OSI Asia-Pac: MOFA sincerely appreciates international support for Taiwan’s bid to participate in WHO and WHA

Source: Republic of China Taiwan

May 19, 2025
No. 163

The 78th World Health Assembly (WHA) is opening in Geneva on May 19. Following proactive efforts by the Ministry of Foreign Affairs (MOFA) and related overseas missions, Taiwan’s bid to participate in the WHA has received staunch and concrete support from the Group of Seven (G7), the executive and legislative branches of government of more than 50 countries, the European Union, the European Parliament, and representative offices of like-minded nations in Taiwan. MOFA expresses sincere appreciation for this support.

Eleven of Taiwan’s diplomatic allies, as members of the World Health Organization (WHO), submitted a proposal to the WHO Secretariat to invite Taiwan to participate in the WHA as an observer, requesting that the proposal be included as a supplementary item on this year’s WHA agenda. Saint Lucia Prime Minister Philip J. Pierre personally wrote a letter urging WHO Director-General Tedros Adhanom Ghebreyesus to invite Taiwan to attend the WHA. The parliaments of Guatemala, Palau, and Saint Christopher and Nevis adopted resolutions backing Taiwan.

The magnitude of support for Taiwan from like-minded countries has continued to grow. The current US administration has publicly endorsed Taiwan’s international participation more than 10 times. This includes a joint statement issued at the US-Japan leaders’ summit by President Donald Trump and Prime Minister Shigeru Ishiba in February, which for the first time contained text advocating Taiwan’s meaningful involvement in international organizations. US Secretary of State Marco Rubio reaffirmed firm US support for Taiwan’s international participation during his congressional confirmation hearing as well as in interviews and joint statements issued at two meetings with the foreign ministers of Japan and the Republic of Korea. The United States twice spoke up for Taiwan at the WHO Executive Board session held in February. In April, it publicly refuted China’s misuse of United Nations General Assembly (UNGA) Resolution 2758 at the UN Security Council for the first time, reiterating that the resolution did not preclude Taiwan’s participation in the UN system or other multilateral fora. In terms of US congressional support, the House of Representatives passed the Taiwan International Solidarity Act without opposition on May 5. The act urged the US government to resist China’s efforts to suppress Taiwan through mischaracterization of UNGA Resolution 2758. In addition, nine US state legislatures approved resolutions backing Taiwan’s involvement in international organizations.

Furthermore, in a joint statement issued following a meeting in March, the G7 foreign ministers reaffirmed support for Taiwan’s meaningful participation in international organizations. On May 15, the European Union expressed a similar stance and recognized the extraordinary contributions Taiwan can make through its digital healthcare capabilities. In February, the European Parliament overwhelmingly adopted a resolution on the implementation of the EU Common Foreign and Security Policy, which backed Taiwan’s meaningful participation in relevant world bodies.
High-ranking European officials who publicly spoke up for Taiwan included Italian Deputy Prime Minister and Minister of Foreign Affairs Antonio Tajani, Irish Deputy Prime Minister and Minister for Foreign Affairs and Trade Simon Harris, Australian Minister for Foreign Affairs Penny Wong, Swedish Minister for Foreign Affairs Maria Malmer Stenergard, and Swedish Minister for Social Affairs and Public Health Jakob Forssmed. A total of 534 members of the European Parliament and 29 national parliaments across Europe cosigned a letter of the Formosa Club reaffirming support for Taiwan. The World Medical Association and other professional groups endorsed Taiwan’s participation in WHO and the WHA as they had done in the past.

MOFA thanks the representative offices in Taiwan of the United Kingdom, France, Australia, Canada, the Czech Republic, Germany, Japan, and Lithuania for issuing a joint statement for the fifth year prior to the WHA affirming the immense benefits that Taiwan could bring to WHA discussions. The statement also emphasized that there was no legitimate reason for Taiwan’s exclusion from the WHA and that Taiwan’s absence would undermine the spirit of inclusive global public health cooperation and safety that WHO’s founding documents called for.

MOFA points out that these positive developments fully demonstrate that China’s unreasonable obstruction of Taiwan’s participation in WHO has gained little traction or support among nations worldwide. MOFA reiterates that UNGA Resolution 2758 and WHA Resolution 25.1 make no mention of Taiwan, have nothing to do with Taiwan, and therefore cannot be cited as a legal basis for precluding Taiwan from participating in WHO or other international organizations or multilateral mechanisms or fora. MOFA asks that the WHO Secretariat listen closely to member countries, stop further condoning political manipulation by China, and instead work to realize WHO’s goals of “Leaving No One Behind” and “One World for Health” so as to fulfill its responsibility to maintain and improve the health and well-being of all people. MOFA also asks that Taiwan be allowed full and unobstructed participation in all WHO meetings, mechanisms, and activities, including the WHA. (E)

MIL OSI Asia Pacific News –

May 22, 2025

MIL-OSI USA: NEWS: Sanders, Jayapal, Colleagues Introduce Bill to Make Public Colleges and Universities Tuition Free

US Senate News:

Source: United States Senator for Vermont – Bernie Sanders
WASHINGTON, May 21 – As President Trump and congressional Republicans are working overtime to make college unaffordable and unattainable for millions of working-class families in order to provide tax breaks to billionaires, Sen. Bernie Sanders (I-Vt.), Ranking Member of the Senate Committee on Health, Education, Labor, and Pensions (HELP), Rep. Pramila Jayapal (D-Wash.), and nine Senate colleagues, today introduced legislation to make public colleges and universities tuition free for 95% of students. The College for All Act would be the most transformative investment in higher education in 60 years and would substantially improve the lives of millions of students throughout the United States.
Joining Sanders as cosponsors are Sens. Richard Blumenthal (D-Conn.), Alex Padilla (D-Calif.), Chris Murphy (D-Conn.), Peter Welch (D-Vt.), Elizabeth Warren (D-Mass.), Ed Markey (D-Mass.), Chris Van Hollen (D-Md.), Jeff Merkley (D-Ore.) and Cory Booker (D-N.J.).
“In a highly competitive global economy where technology is changing the very nature of work and the jobs we perform, we need the best educated workforce in the world,” said Sanders. “Our nation used to lead the world in the percentage of adults with a college degree. Today, we are in 11th place behind countries like Japan, South Korea, Canada, the United Kingdom and Switzerland. That is not a prescription for a strong American economy of the future. It is a prescription for failure. Instead of increasing the cost of college in order to give more tax breaks to billionaires, we have a better idea. We are going to make public colleges and universities tuition free so that working class students can succeed and are not burdened with a lifetime of debt.”
“Congress can and must ensure that working families never have to take out crushing loans to purse an education,” said Jayapal. “The College for All Act will free students from a lifetime of debt, invest in working people, and transform higher education across America by making a degree more accessible to poor and working families across this country. This is more important now than ever as Trump continues to attack education in this country through attempts to strip funding from universities and to dismantle the Department of Education.”
Making public colleges and universities tuition free is not a radical idea. In 1944, as World War II was coming to an end, the U.S. government made free higher education available to all those who served in the armed forces. That act not only improved the financial well-being of the Greatest Generation, but it also laid the groundwork for the greatest expansion of the American middle class in U.S history. Moreover, over 50 years ago, many of our most prestigious public colleges and universities were also tuition free or virtually tuition free.
Since this legislation was first introduced ten years ago, several colleges and universities in America have provided free tuition for working class and middle class students including every state college in New Mexico, the State University of New York, the University of Texas, the University of Wisconsin, and Arkansas State University.
Other wealthy countries like France, Germany, Denmark, Sweden, Norway and Finland have made their public colleges and universities tuition free or virtually tuition free because they understand the value of investing in their young people.
The College for All Act would guarantee tuition-free community college for all students and allow students from single households earning up to $150,000 a year, and married households earning up to $300,000 a year, to attend college without fear of being saddled with student loan debt.
The College for All Act would also:
Double the maximum Pell Grant award for students enrolled at public and private non-profit colleges;
Establish a $10 billion grant program to improve student outcomes and address equity gaps at underfunded public colleges and universities;
Triple federal TRIO program funding;
Double GEAR UP funding; and
Double mandatory funding for Historically Black Colleges and Universities, Tribal Colleges and Universities (HBCUs), and other Minority-Serving Institutions (MSIs).
Read the bill text here.
Read a summary of the bill here.

MIL OSI USA News –

May 22, 2025

MIL-OSI Security: Russian GRU Targeting Western Logistics Entities and Technology Companies

Source: US Department of Homeland Security

Executive Summary

This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.

This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.

The following authors and co-sealers are releasing this CSA:

United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst

Download the PDF version of this report:

Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)

For a downloadable list of IOCs, visit:

Introduction

For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions.
In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.

Description of Targets

The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:

Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services

In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].

The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].

The countries with targeted entities include the following, as illustrated in Figure 1:

Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States

Figure 1: Countries with Targeted Entities

Initial Access TTPs

To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):

The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]

Credential Guessing/Brute Force

Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].

Spearphishing

GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.

Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:

Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org

The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].

CVE Usage

Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].

Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.

Post-Compromise TTPs

After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].

The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:

C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit

Figure 2: Example Active Directory Domain Services command

Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].

Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]

After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].

After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:

sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.

In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.

Malware

Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:

HEADLACE [7]
MASEPIE [8]

While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.

Persistence

In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.

Exfiltration

GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.

The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.

Connections to Targeting of IP Cameras

In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.

The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.

DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0

CSeq: 1

Authorization: Basic

User-Agent: WebClient

Accept: application/sdp

DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0

CSeq: 2

Authorization: Digest username="admin", realm="[a-f0-9]{12}", algorithm="MD5", nonce="[a-f0-9]{32}", uri="", response="[a-f0-9]{32}"

User-Agent: WebClient

Accept: application/sdp

Figure 3: Example RTSP request

Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.

From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:

Table 1: Geographic distribution of targeted IP cameras
Country	Percentage of Total Attempts
Ukraine	81.0%
Romania	9.9%
Poland	4.0%
Hungary	2.8%
Slovakia	1.7%
Others	0.6%

Mitigation Actions

General Security Mitigations

Architecture and Configuration

Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
- Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
- Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
- Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
- Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
- Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
- Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.

Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].

*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com

Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.

Identity and Access Management

Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:

Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
- For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
- Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
- Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
- Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
- If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]

IP Camera Mitigations

The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:

Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.

Indicators of Compromise (IOCs)

Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.

Utilities and scripts

Legitimate utilities

Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:

ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry

Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.

Malicious scripts

Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”

Suspicious command lines

While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:

edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
ssh -Nf
schtasks /create /xml

Outlook CVE Exploitation IOCs

md-shoeb@alfathdoor[.]com[.]sa
jayam@wizzsolutions[.]com
accounts@regencyservice[.]in
m.salim@tsc-me[.]com
vikram.anand@4ginfosource[.]com
mdelafuente@ukwwfze[.]com
sarah@cosmicgold469[.]co[.]za
franch1.lanka@bplanka[.]com
commerical@vanadrink[.]com
maint@goldenloaduae[.]com
karina@bhpcapital[.]com
tv@coastalareabank[.]com
ashoke.kumar@hbclife[.]in
213[.]32[.]252[.]221
124[.]168[.]91[.]178
194[.]126[.]178[.]8
159[.]196[.]128[.]120

Commonly Used Webmail Providers

portugalmail[.]pt
mail-online[.]dk
email[.]cz
seznam[.]cz

Malicious Archive Filenames Involving CVE-2023-38831

calc.war.zip
news_week_6.zip
Roadmap.zip
SEDE-PV-2023-10-09-1_EN.zip
war.zip
Zeyilname.zip

Brute Forcing IP Addresses

Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.

June 2024	July 2024	August 2024
192[.]162[.]174[.]94	207[.]244[.]71[.]84	31[.]135[.]199[.]145	79[.]184[.]25[.]198	91[.]149[.]253[.]204
103[.]97[.]203[.]29	162[.]210[.]194[.]2	31[.]42[.]4[.]138	79[.]185[.]5[.]142	91[.]149[.]254[.]75
209[.]14[.]71[.]127		46[.]112[.]70[.]252	83[.]10[.]46[.]174	91[.]149[.]255[.]122
109[.]95[.]151[.]207		46[.]248[.]185[.]236	83[.]168[.]66[.]145	91[.]149[.]255[.]19
		64[.]176[.]67[.]117	83[.]168[.]78[.]27	91[.]149[.]255[.]195
		64[.]176[.]69[.]196	83[.]168[.]78[.]31	91[.]221[.]88[.]76
		64[.]176[.]70[.]18	83[.]168[.]78[.]55	93[.]105[.]185[.]139
		64[.]176[.]70[.]238	83[.]23[.]130[.]49	95[.]215[.]76[.]209
		64[.]176[.]71[.]201	83[.]29[.]138[.]115	138[.]199[.]59[.]43
		70[.]34[.]242[.]220	89[.]64[.]70[.]69	147[.]135[.]209[.]245
		70[.]34[.]243[.]226	90[.]156[.]4[.]204	178[.]235[.]191[.]182
		70[.]34[.]244[.]100	91[.]149[.]202[.]215	178[.]37[.]97[.]243
		70[.]34[.]245[.]215	91[.]149[.]203[.]73	185[.]234[.]235[.]69
		70[.]34[.]252[.]168	91[.]149[.]219[.]158	192[.]162[.]174[.]67
		70[.]34[.]252[.]186	91[.]149[.]219[.]23	194[.]187[.]180[.]20
		70[.]34[.]252[.]222	91[.]149[.]223[.]130	212[.]127[.]78[.]170
		70[.]34[.]253[.]13	91[.]149[.]253[.]118	213[.]134[.]184[.]167
		70[.]34[.]253[.]247	91[.]149[.]253[.]198
		70[.]34[.]254[.]245	91[.]149[.]253[.]20

Detections

Customized NTLM listener

rule APT28_NTLM_LISTENER {

meta:

description = "Detects NTLM listeners including APT28's custom one"

strings:

$command_1 = "start-process powershell.exe -WindowStyle hidden"

$command_2 = "New-Object System.Net.HttpListener"

$command_3 = "Prefixes.Add('http://localhost:8080/')"

$command_4 = "-match 'Authorization'"

$command_5 = "GetValues('Authorization')"

$command_6 = "Request.RemoteEndPoint.Address.IPAddressToString"

$command_7 = "@(0x4e,0x54,0x4c,0x4d, 0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x28,0x00,0x00,0x01,0x82,0x00,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)"

$command_8 = ".AllKeys"

$variable_1 = "$NTLMAuthentication" nocase

$variable_2 = "$NTLMType2" nocase

$variable_3 = "$listener" nocase

$variable_4 = "$hostip" nocase

$variable_5 = "$request" nocase

$variable_6 = "$ntlmt2" nocase

$variable_7 = "$NTLMType2Response" nocase

$variable_8 = "$buffer" nocase

condition:

5 of ($command_*)

or

all of ($variable_*)

}

HEADLACE shortcut

rule APT28_HEADLACE_SHORTCUT {

meta:

description = "Detects the HEADLACE backdoor shortcut dropper. Rule is meant for threat hunting."

strings:

$type = "[InternetShortcut]" ascii nocase

$url = "file://"

$edge = "msedge.exe"

$icon = "IconFile"

condition:

all of them

}

HEADLACE credential dialogbox phishing

rule APT28_HEADLACE_CREDENTIALDIALOG {

meta:

description = "Detects scripts used by APT28 to lure user into entering credentials"

strings:

$command_1 = "while($true)"

$command_2 = "Get-Credential $(whoami)"

$command_3 = "Add-Content"

$command_4 = ".UserName"

$command_5 = ".GetNetworkCredential().Password"

$command_6 = "GetNetworkCredential().Password.Length -ne 0"

condition:

5 of them

}

HEADLACE core script

rule APT28_HEADLACE_CORE {

meta:

description = "Detects HEADLACE core batch scripts"

strings:

$chcp = "chcp 65001" ascii

$headless = "start "" msedge --headless=new --disable-gpu" ascii

$command_1 = "taskkill /im msedge.exe /f" ascii

$command_2 = "whoami>"%programdata%" ascii

$command_3 = "timeout" ascii

$command_4 = "copy "%programdata%" ascii

$non_generic_del_1 = "del /q /f "%programdata%" ascii

$non_generic_del_3 = "del /q /f "%userprofile%Downloads" ascii

$generic_del = "del /q /f" ascii

condition:

(

$chcp

and

$headless

)

and

(

1 of ($non_generic_del_*)

or

($generic_del)

or

3 of ($command_*)

)

}

MASEPIE

rule APT28_MASEPIE {

meta:

description = "Detects MASEPIE python script"

strings:

$masepie_unique_1 = "os.popen('whoami').read()"

$masepie_unique_2 = "elif message == 'check'"

$masepie_unique_3 = "elif message == 'send_file':"

$masepie_unique_4 = "elif message == 'get_file'"

$masepie_unique_5 = "enc_mes('ok'"

$masepie_unique_6 = "Bad command!'.encode('ascii'"

$masepie_unique_7 = "{user}{SEPARATOR}{k}"

$masepie_unique_8 = "raise Exception("Reconnect"

condition:

3 of ($masepie_unique_*)

}

STEELHOOK

rule APT28_STEELHOOK {

meta:

description = "Detects APT28's STEELHOOK powershell script"

strings:

$s_1 = "$($env:LOCALAPPDATAGoogleChromeUser DataLocal State)"

$s_2 = "$($env:LOCALAPPDATAGoogleChromeUser DataDefaultLogin Data)"

$s_3 = "$($env:LOCALAPPDATAMicrosoftEdgeUser DataLocal State)"

$s_4 = "$($env:LOCALAPPDATAMicrosoftEdgeUser DataDefaultLogin Data)"

$s_5 = "os_crypt.encrypted_key"

$s_6 = "System.Security.Cryptography.DataProtectionScope"

$s_7 = "[system.security.cryptography.protectdata]::Unprotect"

$s_8 = "Invoke-RestMethod"

condition:

all of them

}

PSEXEC

rule GENERIC_PSEXEC {

meta:

description = "Detects SysInternals PSEXEC executable"

strings:

$sysinternals_1 = "SYSINTERNALS SOFTWARE LICENCE TERMS"

$sysinternals_2 = "/accepteula"

$sysinternals_3 = "SoftwareSysinternals"

$network_1 = "%sIPC$"

$network_2 = "%sADMIN$%s"

$network_3 = "DeviceLanmanRedirector%sipc$"

$psexec_1 = "PSEXESVC"

$psexec_2 = "PSEXEC-{}-"

$psexec_3 = "Copying %s to %s..."

$psexec_4 = "gPSINFSVC"

condition:

(

( uint16( 0x0 ) ==0x5a4d )

and

( uint16( uint32( 0x3c )) == 0x4550 )

)

and

filesize < 1024KB

and

(

( any of ($sysinternals_*) and any of ($psexec_*) )

or

( 2 of ($network_*) and 2 of ($psexec_*))

)

}

The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:

APT28 [14]
Fancy Bear [14]
Forest Blizzard [14]
Blue Delta [15]

Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.

Further Reference

To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.

For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule:
https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar

Works Cited

[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/
[2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF
[3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
[4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/
[5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/
[6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/
[7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/
[8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894
[9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF
[10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF
[11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html
[12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF
[13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF

[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
[15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

United States organizations

National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
- U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)

United Kingdom organizations

Germany organizations

Czech Republic organizations

Poland organizations

Australian organizations

Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.

Canadian organizations

Estonia organizations

French organizations

French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.

See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.

Table 2: Reconnaissance
Tactic/Technique Title	ID	Use
Reconnaissance	TA0043	Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management.
Gather Victim Identity Information: Email Addresses	T1589.002	Conducted contact information reconnaissance to identify additional targets in key positions.
Gather Victim Org Information	T1591	Conducted reconnaissance of the cybersecurity department.
Gather Victim Org Information: Identify Roles	T1591.004	Conducted reconnaissance of individuals responsible for coordinating transport.
Gather Victim Org Information: Business Relationships	T1591.002	Conducted reconnaissance of other companies cooperating with the victim entity.
Gather Victim Host Information	T1592	Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras.

Table 3: Resource development
Tactic/Technique Title	ID	Use
Compromise Accounts: Email Accounts	T1586.002	Sent phishing emails using compromised accounts.
Compromise Accounts: Cloud Accounts	T1586.003	Sent phishing emails using compromised accounts.

Table 4: Initial Access
Tactic/Technique Title	ID	Use
Trusted Relationship	T1199	Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Phishing	T1566	Used spearphishing for credentials and delivering malware to gain initial access to targeted entities.
Phishing: Spearphishing Attachment	T1566.001	Sent emails with malicious attachments.
Phishing: Spearphishing Link	T1566.002	Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive.
Phishing: Spearphishing Voice	T1566.004	Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.
External Remote Services	T1133	Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities.
Exploit Public-Facing Application	T1190	Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities.
Content Injection	T1659	Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive.

Table 5: Execution
Tactic/Technique Title	ID	Use
User Execution: Malicious Link	T1204.001	Used malicious links to hosted shortcuts in spearphishing.
User Execution: Malicious File	T1204.002	Delivered malware executables via spearphishing.
Scheduled Task/Job: Scheduled Task	T1053.005	Used scheduled tasks to establish persistence.
Command and Scripting Interpreter	T1059	Delivered scripts in spearphishing. Executed arbitrary shell commands.
Command and Scripting Interpreter: PowerShell	T1059.001	PowerShell commands were often used to prepare data for exfiltration.
Command and Scripting Interpreter: Windows Command Shell	T1059.003	Used BAT script in spearphishing.
Command and Scripting Interpreter: Visual Basic	T1059.005	Used VBScript in spearphishing.
Command and Scripting Interpreter: Python	T1059.006	Installed python on infected machines to enable the execution of Certipy.

Table 6: Persistence
Tactic/Technique Title	ID	Use
Account Manipulation: Additional Email Delegate Permissions	T1098.002	Used manipulation of mailbox permissions to establish sustained email collection.
Modify Authentication Process: Multi-Factor Authentication	T1556.006	Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access.
Hijack Execution Flow: DLL Search Order Hijacking	T1574.001	Used DLL search order hijacking to facilitate malware execution.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547.001	Used run keys to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification	T1547.009	Placed malicious shortcuts in the startup folder to establish persistence.

Table 7: Defense Evasion
Tactic/Technique Title	ID	Use
Indicator Removal: Clear Windows Event Logs	T1070.001	Deleted event logs through the wevtutil utility.

Table 8: Credential access
Tactic/Technique Title	ID	Use
Brute Force		Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Brute Force: Password Guessing	T1110.001	Used credential guessing to gain initial access to targeted entities.
Brute Force: Password Spraying	T1110.003	Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP.
Multi-Factor Authentication Interception		Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns.
Input Capture		Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns.
Forced Authentication		Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations.
OS Credential Dumping: NTDS	T1003.003	Attempted to dump Active Directory NTDS.dit domain databases.
Unsecured Credentials: Group Policy Preferences	T1552.006	Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py.

Table 9: Discovery
Tactic/Technique Title	ID	Use
Account Discovery: Domain Account	T1087.002	Used a modified ldap-dump.py to enumerate the Windows environment.

Table 10: Command and Control
Tactic/Technique Title	ID	Use
Hide Infrastructure	T1665	Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
Proxy: External Proxy	T1090.002	Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers.
Proxy: Multi-hop Proxy	T1090.003	Used Tor and commercial VPNs as part of their anonymization infrastructure
Encrypted Channel	T1573	Connected to victim infrastructure using encrypted TLS.
Multi-Stage Channels	T1104	Used multi-stage redirectors for campaigns.

Table 11: Defense evasion (mobile framework)
Tactic/Technique Title	ID	Use
Execution Guardrails		Used multi-stage redirectors to verify browser fingerprints in some campaigns.
Execution Guardrails: Geofencing	T1627.001	Used multi-stage redirectors to verify IP-geolocation in some campaigns.

Table 12: Lateral movement
Tactic/Technique Title	ID	Use
Lateral Movement		Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment.
Remote Services: Remote Desktop Protocol	T1021.001	Moved laterally within the network using RDP.

Table 13: Collection
Tactic/Technique Title	ID	Use
Email Collection		Retrieved sensitive data from email servers.
Email Collection: Remote Email Collection	T1114.002	Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers.
Automated Collection		Used periodic EWS queries to collect new emails.
Video Capture		Attempted to gain access to the cameras’ feeds.
Archive Collected Data		Accessed files were archived in .zip files prior to exfiltration.
Archive Collected Data: Archive via Utility	T1560.001	Prepared zip archives for upload to the actors’ infrastructure.

Table 14: Exfiltration
Tactic/Technique Title	ID	Use
Exfiltration Over Alternative Protocol		Attempted to exfiltrate archived data via a previously dropped OpenSSH binary.
Scheduled Transfer		Used periodic EWS queries to collect new emails sent and received since the last data exfiltration.

Appendix B: CVEs exploited

Table 15: Exploited CVE information
CVE	Vendor/Product	Details
CVE-2023-38831	RARLAB WinRAR	Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
CVE-2023-23397	Microsoft Outlook	External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
CVE-2021-44026	Roundcube Webmail	Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params.
CVE-2020-35730	Roundcube Webmail	An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-12641	Roundcube Webmail	Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.

Appendix C: MITRE D3FEND Countermeasures

Table 16: MITRE D3FEND countermeasures
Countermeasure Title	ID	Details
Network Isolation		Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation		Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering		Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis		Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering		Block NTLM/SMB requests to external infrastructure.
Platform Monitoring		Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis		Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening		Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation		Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting		Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation		Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening		Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis		Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis		Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation		Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
DNS Denylisting	D3-DNSDL	Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis		Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication		Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Job Function Access Pattern Analysis	D3-JFAPA	Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions		Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication		Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening		Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding		Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy		Use a service to check for compromised passwords before using them.
Credential Rotation		Change all default credentials.
Encrypted Tunnels		Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update		Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication		Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis		Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.

MIL Security OSI -

May 22, 2025

MIL-OSI Europe: OSCE boosts solar energy skills to support Kyrgyzstan’s clean energy transition

Source: Organization for Security and Co-operation in Europe – OSCE

Headline: OSCE boosts solar energy skills to support Kyrgyzstan’s clean energy transition

To help drive Kyrgyzstan’s transition to clean energy and meet its growing demand for renewables, the OSCE organized a joint initiative in Bishkek focused on both high-level policy dialogue and technical training. This effort was carried out in partnership with the Kyrgyz State Technical University (KSTU) and the Bulan Institute for Peace Innovations.
On 19 May, over 70 participants – including representatives from government, academia, the private sector, international organizations, and civil society – gathered at KSTU for a roundtable discussion titled “Integration of Renewable Energy Sources into the Energy System of the Kyrgyz Republic and Prospects for RES Development.” The event explored key policy, regulatory, and technical challenges related to scaling up renewable energy – particularly solar and wind power – and examined ways to improve grid integration and expand access to clean energy across the country.
High-level officials delivered opening remarks, including Dinara Kemelova, Special Representative of the President of the Kyrgyz Republic on Mountain Regions Development; Emilbek Ysmanov, First Deputy Minister of Energy; and Nicolas Faye, Ambassador of France to the Kyrgyz Republic.
Alongside the policy discussions, the OSCE, together with KSTU and the Bulan Institute, launched the first of two hands-on training courses on solar photovoltaic system installation and maintenance. The course brought together 24 electricians from various parts of Kyrgyzstan – including many from rural and remote areas – to gain practical skills in solar system design, installation, and safety. Notably, the active participation of women in the training marked a positive step toward greater gender equality in the energy sector. A second training is scheduled for June 2025.
“This initiative goes beyond solar panels – it’s about giving people the skills to shape their own energy future,” said Giulia Manconi, OSCE Senior Energy Security Adviser. “By investing in skills development, we’re not only helping Kyrgyzstan unlock its solar potential, but also creating meaningful jobs, promoting local value, and ensuring an inclusive transition to renewable energy that supports the country’s broader energy and climate goals.”
By building local expertise, this initiative lays the foundation for the creation of a dedicated Solar Training Centre at KSTU, providing long-term support for Kyrgyzstan’s clean energy transition and offering a model that can be replicated across the region.
This activity is part of the OSCE project on Promoting Women’s Economic Empowerment in the Energy Sector in Central Asia, funded by Austria, France, Germany, Italy, Norway and Poland.

MIL OSI Europe News –

May 22, 2025

MIL-OSI Europe: ASIA/KAZAKHSTAN – National Director of the Pontifical Mission Societies appointed

Source: Agenzia Fides – MIL OSI

Wednesday, 21 May 2025

Vatican City (Agenzia Fides) – On May 13, Cardinal Luis Antonio G. Tagle, Pro-Prefect of the Dicastery for Evangelization (Section for First Evangelization and New Particular Churches), appointed Rev. Fr. Gabriel Jocher as National Director of the Pontifical Mission Societies in Kazakhstan. The new National Director is 36 years old and was born in Germany, (Bavaria region). After finishing school, he entered the Congregation of the Servants of Jesus and Mary in 2007, he began his philosophical-theological studies in 2009, made his final vows in 2013, was ordained a deacon in 2015, and a priest in 2016. From 2016 to 2019, he served in the parish of Blindenmarkt (Austria) and from 2019 to 2023 he was in charge of the apostolate of youth ministry and families in southern Germany.Since October 2023 he has been working in the parish and in the Sacred Heart school in Korneevka in northern Kazakhstan. (EG) (Agenzia Fides, 21/5/2025)
Share:

MIL OSI Europe News –

May 22, 2025

MIL-OSI: xSuite Benelux to Host 2025 User Conference in Eindhoven

Source: GlobeNewswire (MIL-OSI)

Under the motto “One Team. One Journey.”, the business process optimization expert will present innovations and solutions for finance professionals this June.

Eindhoven, Netherlands – May 21, 2025. xSuite Benelux will host its annual User Conference on June 25, 2025, at the Philips Museum in Eindhoven. The event will focus on future-oriented technologies for finance and IT decision-makers. Topics will include Artificial Intelligence, mandatory e-invoicing, SAP S/4HANA, cloud transformation, and Clean Core strategies. The conference will also feature a partner presentation showcasing the use of xSuite solutions in finance departments.

Innovative technologies such as cloud computing and AI are increasingly shaping the finance function. At the event, xSuite will present product innovations, outline its roadmap, and provide insights into current and emerging technology trends. A presentation by xSuite partner Flexo will illustrate the implementation of xSuite solutions at Sumitomo for automated invoice processing. The case study will address the initial setup, challenges encountered, applied solutions, and measurable outcomes.

In-Depth Sessions on Key Technology Topics:

1. Artificial Intelligence in SAP Invoice Processing
The session will present xSuite’s Prediction Server, an AI-based tool for invoice processing in SAP. It will also cover the growing role of Large Language Models (LLMs) in document recognition and process automation.

2. E-Invoicing Compliance
With upcoming e-invoice mandates in various EU countries – including the e-invoice obligation in Belgium in the beginning of 2026 – this session will focus on practical implementation insights and optimization strategies. The presentation will also look ahead to platform-based models and potential CTC (Continuous Transaction Control) reporting frameworks, including a preview of eDNA (electronic Document Network Adapter).

3. SAP S/4HANA and Cloud Transformation
Many organizations are already migrating to SAP S/4HANA or preparing to do so. Even companies using Private Cloud environments are encouraged to align with SAP’s Clean Core approach to minimize technical debt. This session will introduce xSuite’s SAP-integrated Business Solutions 6.0 and applications on the SAP Business Technology Platform (BTP).

Networking and Exchange
The conference will conclude with opportunities for networking and discussion of customer requirements, the role of xSuite as a strategic partner, and best practices in digital transformation projects.

Event Details:

xSuite User Conference Benelux
June 25, 2025
Philips Museum, Emmasingel 31, 5611 AZ Eindhoven
10:00 AM – 3:00 PM

More information and registration:
https://news.xsuite.com/en/user-conference-2025-eindhoven

About xSuite Group

xSuite is a software manufacturer of applications for document-based processes and provides standardized, digital solutions worldwide that enable simple, secure, and fast work. We focus mainly on the automation of important work processes in conjunction with end-to-end document management. Our core competence lies in accounts payable (AP) automation in SAP (including
e-invoicing), for leading companies worldwide, as well as for public clients. This is supplemented by applications for purchasing and order processes as well as archiving – all delivered from a single source, including both software components and services. xSuite solutions operate in the cloud or in hybrid scenarios. We take pride in the high-quality solutions we offer, as evidenced by the regular certifications we receive for our SAP solutions and deployment environments.” With over 300,000 users benefitting from our solutions, xSuite processes more than 80 million documents per year in over 60 countries.

Founded in 1994 and headquartered in Ahrensburg, Germany, xSuite has around 300 staff across nine locations worldwide – in Europe, Asia, and the United States. Our company has an established information security management system that is certified in accordance with ISO 27001:2022.

Press Contact Headquarters:
Barbara Wirtz
xSuite Group GmbH
Tel. +49 4102 883836
barbara.wirtz@xsuite.com
www.xsuite.com

Contact xSuite Benelux:
Hans Willems
Managing Director
xSuite Benelux BV
Gelissendomein 8-10, Box 8
6229 GJ Maastricht, Netherlands
Tel +31 (43) 760 01-20
info.benelux@xsuite.com
www.xsuite.com

Attachment

xSuite-UC-2025-Eindhoven 880×450

The MIL Network –

May 21, 2025

MIL-Evening Report: Gordon Campbell: NZ’s silence over Gaza genocide, ethnic cleansing

COMMENTARY: By Gordon Campbell

Since last Thursday, intensified Israeli air strikes on Gaza have killed more than 500 Palestinians, and a prolonged Israeli aid blockade has led to widespread starvation among the territory’s two million residents.

Belatedly, Israel is letting in a token amount of food aid that UN Under-Secretary Tom Fletcher has called a “a drop in the ocean”.

Meanwhile, the IDF is intensifying its air and ground attacks on the civilian population and on the few remaining health services. Al Jazeera is also reporting that the IDF has issued “a forward displacement order” for the entirety of Khan Younis, the second largest city in Gaza.

The escalation of the Israeli onslaught has been condemned by UN human rights chief Volker Türk, who has likened the IDF campaign as an exercise in ethnic cleansing:

“This latest barrage of bombs … and the denial of humanitarian assistance underline that there appears to be a push for a permanent demographic shift in Gaza that is in defiance of international law and is tantamount to ethnic cleansing,” he said.

If the West so wished, it could be putting more economic pressure on Israel to cease committing its litany of atrocities. Israel’s use of starvation as a weapon of war has been sparking mass demonstrations across Europe.

In the Netherlands at the weekend, a massive demonstration culminated in calls for the Netherlands government to formally ask the EU to suspend its free trade agreement with Israel.

Until now, the world’s relative indifference to the genocide in Gaza has been mirrored by Palestine’s Arab neighbours. As Gaza burned yet again, Saudi Arabia and the Emirates were lavishly entertaining US President Donald Trump — Israel’s chief enabler — and showering him with gifts.

In the wake of these meetings, Trump and his hosts have signed arms deals and AI technology transfers that reportedly contain no guard rails to prevent these AI advances being passed on to China.

In addition, Qatar has bought $96 billion worth of Boeing aircraft. Reportedly, this purchase has huge potential implications for the airline industry in our part of the world.

In all, economic joint ventures worth hundreds of billions of dollars were signed and sealed last week between the US and the Middle East region, despite the misery being inflicted right next door.

Footnote: Directly and indirectly, Big Tech firms such as Microsoft and Intel continue to enable and enhance the IDF war machine’s actions in Gaza. This is an extension of the long time support given to Israel by Silicon Valley firms via the supply of digital infrastructure, advanced chips, software and cloud computing facilities.

Yesterday, several Microsoft staff had the courage to interrupt a speech by their CEO to protest about how the company’s Azure cloud computing platform was being used to enable Israeli war crimes in Gaza.

The extinction of hope
As the Ha’aretz newspaper reported this week, “The three pillars of hope for the Palestinians have collapsed: armed struggle has lost legitimacy, state negotiations have stalled, and faith in the international community has faded. Now, they face one question: ‘Where do we go from here?’

As Ha’aretz concluded, the Palestinians seem to have vanished into a diplomatic Bermuda Triangle. What would it take, one wonders, for the New Zealand government — and Foreign Minister Winston Peters — to wake up from their moral slumber?

Whenever the Luxon government does talk about this conflict, it still calls for a “two state solution” even though, as a leading Israeli journalist Gideon Levy says, this ceased to be a viable option more than 25 years ago.

“We crossed the point of no return a long time ago. We crossed the point at which there was any room for a Palestinian state, with 700,000 settlers who will not be evacuated, because nobody will have the political power to do so. The West Bank is practically annexed for many, many years . . . Nobody can take this discourse seriously anymore. But, you know, those who want to believe in it, believe in it.”

Conveniently, the two state waffle does provide Peters and Luxon with cover for their reluctance to — for example — call in, or expel the Israeli ambassador. Or impose a symbolic trade boycott. Or impose targeted sanctions on the extremists within the Netanyahu Cabinet who are driving Israeli policy.

Instead of those options, the “negotiated two state” fantasy has been encouraged to take on a life of its own. Yet do we really think that Israel would entertain for a moment the expulsion of the hundreds of thousands of Jewish settlers illegally occupying the land on the West Bank required for a viable Palestinian state?

The Netanyahu government has long had plans to double that number, with the settler influx growing at a reported rate of about 12,000 a year.

The backlash
Israel’s use of starvation as a weapon is finally creating a backlash, in Europe at least. The public outrage being expressed in demonstrations in the UK, France and Germany finally seems to be making some governments feel a need to be seen to be doing more.

Not before time. At the drop of a hat, Western nations — New Zealand included — will bang on endlessly about the importance of upholding the norms of international law. So you have to ask . . . why have we/they chosen to remain all but mute about the repeated violations of human rights law and the Geneva Conventions being carried out by the IDF in Gaza on a daily basis?

“In [Khan Younis’] Nasser Hospital, Safaa Al-Najjar, her face stained with blood, wept as the shroud-wrapped bodies of two of her children were brought to her: [18 month old] Motaz Al-Bayyok and [six weeks old] Moaz Al-Bayyok.

“The family was caught in the overnight airstrikes. All five of Al-Najjar’s other children, ranging in ages from 3 to 12, were injured, while her husband was in intensive care. One of her sons, 11-year-old Yusuf, his head heavily bandaged, screamed in grief as the shroud of his younger sibling was parted to show his face.

Ultimately, Israel’s moral decline will be for its own citizens to reckon with, in future. For now, New Zealand is standing around watching in silence, while a blood-soaked campaign of ethnic cleansing unmatched in recent history is being carried out.

Republished with permission from Gordon Campbell’s column in partnership with Scoop.

Article by AsiaPacificReport.nz

MIL OSI Analysis – EveningReport.nz –

May 21, 2025

MIL-OSI United Kingdom: Cash boost for coastal towns hosting clean energy infrastructure

Source: United Kingdom – Government Statements

Press release

Cash boost for coastal towns hosting clean energy infrastructure

Communities to receive funding for hosting clean energy infrastructure as part of plans to make Britain a clean energy superpower.

Britain’s coastal and rural regions to receive a cash boost for hosting the infrastructure needed to make Britain a clean energy superpower
communities hosting offshore wind and solar projects in line to receive money from energy developers, to be spent directly on local priorities and services such as community centres, sports facilities, and employment programmes
cash boost to regional and local economic growth as part of the Plan for Change

Britain’s coastal and rural communities will receive a cash boost for new community facilities, better transport links and investment in apprenticeships, under government plans as part of the Plan for Change mission to make Britain a clean energy superpower.

The proposals will require community benefits for families, businesses and local community groups who live near offshore wind, onshore wind and solar farms.

They would enshrine in law a requirement for renewable developers to pay into community benefit funds, ensuring infrastructure projects contribute to residents’ lives, the local economy and growth as part of the government’s Plan for Change.

This could include new grassroots football pitches in Welsh seaside towns, initiatives to get young people into employment on the Yorkshire coast to train the next generation of engineers, and funding for transport links and schools in the Scottish highlands.

Coastal and rural areas will play a significant role in hosting the clean energy projects needed to get energy bills down for good and deliver energy security with homegrown power that Britain controls.

In recognition, the funding will channel community investment into where it has real impact – with families in the area deciding where the money should be spent. The plans also set out how communities could own a stake in renewable energy infrastructure through shared ownership, resulting in profits being reinvested back into the community and the British people having a stake in the clean energy transition.

The level of payments to communities will range depending on the size of infrastructure projects, from tens of thousands of pounds a year for small developments and up to millions of pounds per year for largescale developments.

Energy Secretary Ed Miliband said:

If you live near an offshore wind or solar farm, your local community should benefit from supporting this nationally critical mission.

The Prime Minister’s mission to become a clean energy superpower is creating good well-paid jobs in these areas, building the infrastructure we need to get energy bills down for working people.

Our Plan for Change will revitalise Britain’s coastal and rural communities creating community wealth, better facilities and energy security for the country.

This will benefit every household in the country by getting the UK off fossil fuel dependency and protecting billpayers from price shocks with clean homegrown power.

The announcement will build on measures introduced in the Planning and Infrastructure Bill where households within 500 metres of new or upgraded electricity transmission infrastructure will get electricity bill discounts of up to £2,500 over 10 years.

The proposals seek input on which types of energy infrastructure should be required to pay into community benefit funds, which may include renewable and low-carbon electricity generation, and energy storage.

Community benefits are an established part of development for energy infrastructure in many countries, including Ireland, France, Germany, Italy and Spain.

James Robottom, Head of Policy at RenewableUK, said:

Renewable energy developers have a long history of providing a wide range of benefits for local communities, such as community benefit funds which support local initiatives, electricity discounts, employment initiatives and environmental projects.

We welcome the government’s consultation and will engage with it to ensure that the benefits received by local communities hosting energy infrastructure are proportionate and continue to meet their needs. Renewable energy developers are good neighbours and remain committed to providing benefits at an appropriate level to enable local communities to thrive all over the country.

This builds on Monday’s announcement to support coastal communities with the £360 million Fishing and Coastal Growth Fund, the new SPS (sanitary and phytosanitary) agreement that will slash red tape for UK seafood exporters and businesses, and a new twelve-year fisheries access agreement with the EU securing long-term certainty for British fishing fleets.

The Fishing and Coastal Growth Fund will see investment in new technology and equipment to modernise Britain’s fishing fleet, deliver new training and skills to back the next generation of fishers and promote the seafood sector to export our high-quality produce across the world.

Notes to Editors

Read more about the working paper. We are inviting views from industry and stakeholders on the proposals until Wednesday 16 July.

Published 21 May 2025

MIL OSI United Kingdom –

May 21, 2025

MIL-OSI China: SCIO briefs media on Yangtze River Economic Belt development in Chongqing

Source: People’s Republic of China – State Council News

SCIO briefs media on Yangtze River Economic Belt development in Chongqing

China SCIO | May 21, 2025

The State Council Information Office (SCIO) recently organized a media trip to southwestern China’s Chongqing municipality, bringing together over 40 journalists — including foreign correspondents from the U.S., U.K., France, Germany, Switzerland, Australia, Singapore, Indonesia, Iraq, Qatar, and Japan — to observe the progress of high-quality development in the Yangtze River Economic Belt.

A press briefing was held Monday during the trip, where Hu Henghua, deputy secretary of the Chongqing Municipal Committee of the Communist Party of China and mayor of the Chongqing Municipal People’s Government, briefed the media and answered questions.

On May 19, 2025, the State Council Information Office holds a press briefing in Chongqing about the high-quality development of the Yangtze River Economic Belt. [Photo by Liu Jian/China SCIO]

1 2 3 4 5 6 7 8 9 >

MIL OSI China News –

May 21, 2025

MIL-OSI Russia: Concerts, trainings and performances: how the large-scale project “Summer in Moscow” will take place

Translation. Region: Russian Federal

Source: Moscow Government – Government of Moscow –

A large-scale urban project will begin on June 1 “Summer in Moscow”, which will last three months. It will once again unite all the bright charity, cultural and sports events of the next season, which will take place in all districts of the capital. Most of them will be held outdoors.

From tastings to dancing and plein air

The festival “Gardens and Flowers” runs until September 7. City sites will be transformed into blooming gardens, and rare plants will be seen on the capital’s streets. Muscovites and tourists will be immersed in the atmosphere of summer, will be able to take bright photo sessions and walk along picturesque routes.

One of the main gastronomic events of the year will be the festival “Moscow is on the wave. Fish week”, which will take place from May 30 to June 8. There will be fish corners on Shkolnaya Street, and open-air shopping chalets will offer various types of fresh, dried and chilled fish and seafood. Chefs will prepare unusual and classic dishes especially for guests at the festival venues.

As part of the historical festival “Times and Epochs” From June 11 to 15, visitors will see historical periods from Antiquity to the Great Patriotic War. Children and adults will learn to hold swords in their hands or sit at a loom, and professional reenactors will help them with this.

The Tastes of Russia festival will take place from July 4 to 13. On the streets of the capital, you can try the cuisine of the peoples of Russia and get acquainted with dishes that have become the calling card of different cities – from Kaliningrad to Vladivostok. Tastings and culinary experiments will give you new recipes and help you choose combinations of products for your home table.

The Kolomenskoye Museum-Reserve will host vintage market — an exhibition and sale of items from the Soviet and pre-revolutionary eras. Guests will enjoy a varied program with the participation of collectors and historians. Muscovites and tourists will be able to get acquainted with the photography craft of the film camera era, hear the sound of gramophone records from the 1920s, dance a square dance and polka to the sounds of a gramophone, remember Viktor Tsoi and the rock era of the 1980s, learn the history of the Olympic bear and purchase figurines of the mascot of the 1980 Olympics, as well as admire antique items and add badges, postcards, dishes and other things with history to their collections.

From June 1 to September 7, there will be a summer clubThis is a sports and creative art space that will house beauty trucks, fashion pop-ups, greenhouses, a lecture hall, a climbing wall and many play areas.

On the same dates, a festival will be held on Chistoprudny Boulevard “Street. Dancing” — a bright event for experienced dancers and those who want to learn breakdance, hip-hop, funk, shuffle and Latin. Within its framework, professional dancers will conduct master classes, organize flash mobs and battles.

On the same days, a plein air painting will take place on Strastnoy Boulevard “Street. Art”. Art master classes, exhibitions of art objects, painting lessons in an art studio and performances by artists are organized here. Everyone is invited to participate. In addition, the participants of the competition “Moscow life in the summer” will paint unusual art objects: arches, balls and floor lamps – applications are being accepted until the end of May.

Sergei Sobyanin: Large-scale project “Summer in Moscow” will begin on June 1

Festival “Moscow Estates” will allow Muscovites and guests of the capital to immerse themselves in past eras in an original interactive format. The previous summer season was a record-breaking one: the event took place on the territory of 40 estates, which were visited by more than 700 thousand people. The festival was also held in winter.

The capital will also host the Ice Moscow Tea festival, which will bring together more than 500 gastronomic establishments. Throughout the summer, they will offer visitors ice Moscow tea. The drink is prepared according to original recipes. As part of the project “Moscow Tea Party” Restaurants, cafes and hotels will continue to serve special tea sets in a signature service and with signature treats. Tea “Moscow” can be found in popular retail chains, souvenir shops and other places in the capital.

For participants Russpass gamesusing augmented reality technologies, will offer 100 new sites where you need to look for cartoons as part of the Summer in Moscow project. For each meeting with them, virtual points are given in the form of experience. Using them, you can buy tickets to museums and other places in the capital with a discount of up to 99 percent as part of the Russpass bonus program. The game is available in the Russpass mobile application.

An augmented reality game has been launched for guests of the Winter in Moscow venues

Circus, theater and patriotic quests

From June 1 to August 31, the capital will host an international open festival “Teatralny Boulevard – 2025”. Moscow will be transformed into a single large theater stage, where Muscovites and guests of the capital will be able to immerse themselves in the world of theater, try themselves in the role of an actor, decorator and director, as well as take part in a production or visit a creative workshop, learn more about the history of the theater and take a photo with their favorite artist. And of course, guests will see the best productions of Russia and foreign participants.

Over the course of three months, more than 600 productions will be presented at 14 venues in the capital, including the amphitheater on Pokrovsky Boulevard and the amphitheater in the Polytech Museum Park. More than three thousand artists from all over the world will take part in them.

June 1st Museum-Reserve “Kolomenskoye” a large-scale celebration of International Children’s Day will take place. Previously, it was held for many years on Tsvetnoy Boulevard, but this year the beloved event will take place at a new site that will be able to accommodate even more guests.

Every year, the main theme of the festival is a dedication to beloved children’s poets, artists, writers, legendary films and cartoon characters. In previous years, festivals were dedicated to the legacy of Sergei Mikhalkov, Nikolai Nosov and Korney Chukovsky. This year marks the 50th anniversary of the film “The Adventures of Buratino”, which millions of children in our country have watched and continue to watch. Therefore, the festival will be held in honor of the cult character of Alexei Tolstoy.

World Festival of Circus Arts “Idol 2025”will be held in Moscow for the ninth time. Its venue will be the arena of the Great Moscow Circus on Vernadsky Avenue, the largest circus in Europe. Guests will be able to attend performances for a whole month. The main events are scheduled from July 17 to 20, and then, until August 17, viewers will be able to enjoy the gala show of the winners.

Since 2013, the festival has established itself as one of the most significant events in the world of circus arts. It has brought together more than 1,700 artists from 50 countries, including participants and spectators from China, Vietnam, the Philippines, Italy, Spain, Germany, Poland, Austria, the USA, Mongolia, Ethiopia, Tanzania, Mexico, Chile, Brazil, Argentina, Cuba and many other countries. The main awards – “Golden Idol”, “Silver Idol” and “Bronze Idol” are awarded by a professional jury for the most spectacular, unusual, flawlessly performed number. The prizes “Golden Manege”, “Silver Manege” and “Bronze Manege” are presented by representatives of the media. The audience sympathy prizes “Golden Audience Hall”, “Silver Audience Hall” and “Bronze Audience Hall” are awarded based on the results of audience voting.

The Summer in Moscow project will also feature a tent circus. The structures will be located in several picturesque corners of the city. Guests will be able to immerse themselves in an atmosphere of real magic and fun. Some of the best Russian artists will present their productions and numbers. Spectators will see a show with aerial gymnasts on canvases, acrobats on a swing trapeze, clown duets, equilibrists, and jugglers. There will also be numbers with animals.

Victory Park will be transformed into an open-air museum. In the year of the 80th anniversary of Victory, a large-scale patriotic project has been prepared for visitors. They will be offered walking and bus tours with professional guides, as well as tours in retro cars. In total, four walking routes run through the park, on which 25 monuments of Poklonnaya Gora are located.

For young visitors, interactive quests along tangled military roads and secret partisan paths will be organized. All comers will be able to receive a stylized Red Army book, in which they can collect star stamps for completing tasks. The most active participants will receive memorable souvenirs and prizes.

On the territory of Victory Park you can play skittles, chess and laser tag, as well as assemble a soldier’s kit bag, write a letter to the front and much more.

Moscow Children’s Arts Festival “Sky”will be held for the third time in the capital from May 31 to June 1 in the Muzeon Arts Park. It will unite various types of art (theater, circus, music, dance), as well as science, literature and architecture. Guests will enjoy premieres, children’s operas and tours of leading regional theaters, an architectural workshop, master classes of musicians and choreographers, literary and scientific programs. Theaters and creative groups from Moscow, St. Petersburg, Nizhny Novgorod, Perm, Voronezh, Krasnoyarsk, Tobolsk, Almetyevsk and Kaliningrad will present their performances and numbers. About 90 different productions will be held at 12 venues. Guests will be able to see them from 11:00 to 20:00, admission to all events is free. Last year, the festival was visited by more than 180 thousand people.

In early July, the Tsaritsyno Museum-Reserve will celebrate Day of Family, Love and Fidelity. This summer, the festival will be held in a multi-genre festival format for the 11th time. Last year, it was visited by 57 thousand people, for whom more than 250 artists from famous Moscow theaters and groups performed. The venue hosted lectures, over 200 master classes and other events.

An extensive educational program has been prepared for guests of Zaryadye Park. It will begin on International Children’s Day, June 1. Each participant will be able to try themselves in the role of a physicist, chemist, biologist or engineer. Guests will also be treated to a large quest created jointly with scientists from the Lomonosov Moscow State University.

On June 21 and 22, the Zaryadye Park will host the Theatre Weekend festival. This year, the program is dedicated to the 165th anniversary of Anton Chekhov’s birth and the 80th anniversary of the Victory. Spectators will see performances by leading Moscow theaters: the A.P. Chekhov Moscow Art Theater, the Russian Academic Youth Theater, the Moscow Sovremennik Theater, the Central Academic Theater of the Russian Army, the Praktika Theater, and others. The festival’s motto this year will be “Make way for the young!” Therefore, groups from the Moscow Art Theater School, the Moscow State Institute of Culture, the Russian Institute of Theater Arts – GITIS, as well as special guests – actors from the Donetsk Republican Academic Youth Theater will perform on stage.

From classical music to photo exhibitions

On June 28 and 29, the Zaryadye Park will host the New Classics festival. This year, the program is dedicated to the 125th anniversary of the birth of the avant-garde pianist and composer Alexander Mosolov. Spectators will hear his composition “Factory. Music of Machines” for the first time. Part of the work was lost, and composer Nikolai Popov and director Yuri Kvyatkovsky will supplement it, creating a large festival form. “Moscow. Music of Machines” will connect two musical eras – the avant-garde Moscow of the early 20th century and today’s Moscow. The main theme of the festival will be a dialogue between man and technology, and Zaryadye Park will once again become a space where modern classics meet the future, and traditions intertwine with innovations.

From June 1 to September 7, film screenings will be held in the atmospheric space of the park under a glass crust as part of the “Cinema Summer in Zaryadye” festival. Viewers will see masterpieces of Russian cinema created by Vladimir Menshov, Tatyana Lioznova, Karen Shakhnazarov, Grigory Alexandrov, Mikhail Kalatozov, Alla Surikova and others. The films of these directors have already become classics. They are still watched with interest by viewers of different ages.

Guests will be treated to 30 films, ranging from romantic comedies set against the backdrop of summer landscapes to poignant war dramas, exciting space adventures and profound social studies.

As part of the Summer in Moscow project, two photo exhibitions will be held on Tsvetnoy Boulevard. They are dedicated to the 90th anniversary of the birth of People’s Artist of the USSR Yuri Solomin and the 110th anniversary of the birth of People’s Artist of the USSR Vladimir Zeldin.

The exhibition in memory of Yuri Solomin will be prepared by the Moscow Directorate of Mass Events under the supervision of the State Academic Maly Theatre and his granddaughter Alexandra Solomina.

The exhibition dedicated to Vladimir Zeldin will be organized by the Moscow Directorate of Mass Events together with the Central Academic Theater of the Russian Army. Muscovites and guests of the city will be able to get acquainted with the creative legacy of the legendary actors and see photographs from their family archives.

Events in honor of the 80th anniversary of the victory in the Great Patriotic War

On June 21 and 22, Moscow will host two significant events dedicated to preserving the memory of the Great Patriotic War: “Memory Line” on the Krymskaya Embankment of the Muzeon Arts Park and “Memory Watch. Eternal Flame” in the Alexander Garden. Every year, Muscovites and guests of the capital come to support them with their entire families.

For 11 years, on June 21, the day before the start of the Great Patriotic War, the Crimean embankment of the Muzeon Art Park is illuminated by the light of 1,418 candles. Each candle is a symbol of one of the days of the war. The burning “memory line” runs from June 22, 1941 to May 9, 1945.

The first candle in the campaign is symbolically lit from a piece of the Eternal Flame on Poklonnaya Hill. Anyone can join the event and light a candle, thereby reminding themselves and their loved ones of the importance of preserving the memory of the terrible years of the war. Every year, the line lights up in a matter of hours and continues to burn throughout June 22.

During the event “Memory Watch. Eternal Flame” all those wishing to can remember the events of June 1941 and honor the memory of those who died for their Motherland by laying flowers at the Tomb of the Unknown Soldier. Every year young men and women from youth associations, public organizations and patriotic clubs, as well as Muscovites and guests of the capital, join in. At 04:00 a documentary recording of Yuri Levitan’s message about the beginning of the Great Patriotic War of 1941-1945 will be played. After that, there will be a minute of silence and the laying of flowers.

On April 26, the Victory Park project began on the territory of the Victory Park. The Main Patriotic Park, implemented by the Victory Museum with the support of the Moscow Government. Until October, on weekends, visitors will be able to take the quest “Forward to Victory!” for free, which is held at more than 80 interactive sites, and immerse themselves in the atmosphere of the 1940s.

From carnival processions to jazz concerts

From August 28 to 31, the Gorky Festival will be held in Gorky Park. The theme of this year’s event is “Gorky Chekhov”. The theatrical program will be held at the Moscow Youth Theater, the main events, as always, will be presented in Gorky Park and Neskuchny Garden.

Guests can expect theatrical performances, exhibitions and installations, a theatrical laboratory, a music program and a circus show. Last year, the festival covered 18 venues, which were visited by more than 330 thousand spectators.

In June, the capital will host the IV Moscow Jazz Festival, one of the largest jazz festivals in the world and the largest jazz festival in Russia. On June 9 and 15, the opening and closing ceremonies will be held in the P.I. Tchaikovsky Concert Hall. From June 10 to 14, festival events will be held in the Hermitage Garden, Zaryadye Park, Muzeon Arts Park, VDNKh, and the Tsaritsyno Museum-Reserve. Guests will enjoy over 400 hours of live music performed by over 1,000 musicians.

The III Moscow Summer Music Festival “Zaryadye” will be held from June 2 to July 6. World-class stars and invited artists will present concerts, special and children’s projects on the stage of the Zaryadye Hall. The closing of the festival will take place in the open air in the park’s amphitheater.

Sports and entertainment in parks

With the arrival of the long-awaited summer, more than 55 million guests are expected in over 50 capital parks, for whom a multi-format festival program has been prepared.

Muscovites and tourists can expect large-scale events, including the park festival “Gardens and Vegetable Gardens”, City Day and many others.

The parks will host over 10,000 local events. Sports enthusiasts will be able to attend daily morning exercises, outdoor training, and much more. Participation in the classes will help improve health, improve physical fitness, and develop teamwork skills.

The cultural program includes parties in summer cinemas, immersive performances and dances. Professional artists and creative groups will present their numbers and theatrical performances. Every weekend, park visitors will be treated to music, dance flash mobs and open-air karaoke, and the Park Symphony festival will combine musical rhythms of different genres.

Residents and guests of the capital will be able to attend gastronomic events: open master classes by famous chefs and lectures on culinary trends. Special places will be equipped for picnics.

Summer Program for Youth: Development and Creative Growth

Young Muscovites will enjoy an extensive entertainment and educational program. From June 9 to July 19, the Moskino Cinema Park will host the first creative camp, “Youth of Moscow.” Participants will be able to demonstrate their skills in choreography, vocals, humor, and other creative areas. The shifts will be dedicated to different areas of art: KVN, vocals and music, cinema, producing, original genre, and event organization. The “KVN School” shift is aimed at developing skills in humor and teamwork, while the “Original Genre School” will help aspiring circus performers, cheerleaders, gymnasts, and acrobats improve their skills in the performing arts, and learn how to work with props in interactive productions. As part of the “Dance School,” children will develop their abilities and try themselves in various choreography styles, learn to express emotions in dance, and create their own unique productions. In the “School of Vocals and Music” young Muscovites will be able to improve their vocals, work on their voices with professionals and unite into youth musical groups. The shift “School of Cinema, Producers and Event Organizers” will be aimed at developing organizational skills, producing and acting skills.

The final race will be held in the format of the Art Quarter festival, where an open large-scale gala concert will take place, uniting all directions. It will be prepared by young people from different shifts of the camp.

From June 28 to August 4, the patriotic camp “Youth of Moscow. Capital. Summer” will operate for the fourth time. The site will be the territory of the recreation center “Red Carnation”. Participants will have six thematic shifts.

The “Achieve” shift will bring together athletes, “Manage” — representatives of student government, “Improve” — young professionals, and the “Help” shift will bring together Moscow volunteers. Young Muscovites will be able not only to develop their skills in various fields, but also to find friends, realize their creative potential, and gain new emotional experience. Songs with a guitar and meetings around a large fire will become a tradition of the camp. Meetings and master classes with participants of a special military operation are planned. All shifts will also teach how to provide first aid, resist fire, and ensure safety for yourself and your loved ones in emergency situations.

City residents aged 18 to 35 can apply for participation. Registration is open on the portal “Youth of Moscow”.

In honor of Youth Day, the capital will host a large number of events — from master classes and intellectual games to creative concerts and events. The flagship event will be held in Khodynka Pole Park on June 28 and 29. This year, the festival concept provides for the synergy of key areas for the comprehensive development of the city’s youth. Eight key zones dedicated to various topics will be prepared for guests: patriotism, career guidance, creativity, personal development, friendship, sports, volunteering and trends. Visitors will enjoy educational lectures, trainings and master classes, a job fair, competitions in various sports and much more.

Traditionally, on Youth Day, the KVN League Summer Cup “Youth of Moscow” and the “Space Basketball” tournament will be held, in which youth teams will take part. Young performers who want to make a name for themselves throughout the city will be able to perform on an open stage.

From May 25 to September 7, the Youth Point festival will be held on Bolotnaya Square. The site will host hubs — interactive modern spaces dedicated to art, sports, development, and future competencies. The festival program will include large open discos, master classes in sketching, water painting, sports activities, and much more.

Charity initiatives

On July 5 and 6, the Bauman Garden will host the charity festival “City of the Caring”, dedicated to the Day of Family, Love and Fidelity. The entertainment program will include activities for the whole family. Guests will enjoy creative master classes, a charity quest, a no-lose lottery and photo zones for summer photos. A play area will be set up for children. At the “Fluffy Friend” site, guests will be able to meet animals from shelters and choose pets for themselves. A charity fair will also open, where goods from Moscow non-profit organizations (NPOs) will be presented. All proceeds from sales will be directed to helping their wards.

Visitors will be able to get to know the city’s social projects better and take part in them.

Checkers, table tennis and fitrock

From May 29 to September 7, Moscow will host a festival of urban sports. Throughout the summer, sports training and entertainment events aimed at popularizing an active lifestyle among residents of the capital will be held in the capital’s parks. The most active participants will receive prizes.

The project “Summer. Beach. Moscow Sport” will be held from May 31 to August 31. It is organized for those who spend the summer in Moscow. Zumba, stretching, functional training, beach volleyball, yoga and fiery fitrock training will be held in beach recreation areas on weekends. In addition, there will be an opportunity to play tetherball, frisbee and beach tennis.

From May 31 to September 7, training sessions for the new season of the Sports Weekend project will take place, thanks to which city residents can do sports for free under the guidance of professional trainers on Saturdays and Sundays at more than 50 unique venues in the city, as well as online.

From June 1 to September 7, the “Chess Square” space will be available near the Metropol Hotel. On weekdays, anyone can take chess sets and play easy games. On weekends, there will be family, open and children’s tournaments, as well as master classes by famous grandmasters.

From June 1 to September 30, a new season of free training will be held as part of the My Sports District project. Participation in them will be interesting for city residents who love sports and want to do them regularly. Classes are held all year round and change depending on the season.

On July 5, large-scale sports events “Moscow Sports Day” and “Moscow Sports Night” will take place. Guests will enjoy more than 20 themed sports grounds, master classes, tournaments and a concert with popular artists at “Moscow Sports Day”, as well as more than 15 zones with sports activities and autograph sessions with famous athletes at “Moscow Sports Night”.

“Green Market” and art pavilions

From May 25 to September 7, art pavilions of the Made in Moscow project will operate in tourist areas of the capital. Here you can buy more than 70 thousand products from local manufacturers – from clothes and cosmetics to children’s toys and food products.

The flagship venue will be the Green Market on Bolotnaya Square, where a rollerdrome with a summer cinema will be available for the first time. Guests will be treated to a rollerdrome show, discos and events organized with the participation of the capital’s Committee on Public Relations and Youth Policy, which became a partner of the flagship venue for the first time this summer season.

Reservation of venues

The mos.ru portal is resuming its work on the city space booking service “Everyone on the street!”. From May 20, you can submit applications for holding events.

Representatives of small and medium-sized businesses, individual entrepreneurs, self-employed individuals and individuals can book a site free of charge.

More than 100 venues will be available for booking, including chalets for master classes, stages, gazebos, sports and dance floors, located in every district of the city.

Results of the booking service last year

Last year, the city hosted the festival “Summer in Moscow. Everyone out on the street!” for the first time – a new format of interaction between the city, business and Muscovites within the framework of the event program. Its key feature was that the agenda of summer recreation in the capital was created by Muscovites themselves. About 25 thousand events (every fourth) were organized by residents, businesses or NGOs. About 1.1 thousand entrepreneurs organized about 8.5 thousand events and presented their projects to a wide audience.

Special project “Time of Opportunities”

For the capital’s entrepreneurs, a special project called “Time of Opportunities” is starting, previously called “Come on in!” This is an excellent opportunity to vividly tell about your business, making it memorable for a wide audience. Shops, restaurants and cafes, service enterprises, fitness centers and sports studios, educational centers and creative studios can take part in the project.

Participants will receive a summer business box, which includes a set of free services from market leaders for business promotion, the opportunity to post information about their events on the mos.ru poster, in the Yandex Maps and 2GIS applications, as well as media support in the media: on television, in online publications, print media and Telegram channels.

The Russpass website will organize a collection of feedback from visitors. Entrepreneurs who have collected the largest number of positive reviews will receive a package for promoting their business, “The Most Active”.

To become part of the project, you need to prepare a unique special offer. These can be thematic master classes, seminars, shows, performances and much more. You also need to fill out a participant’s questionnaire.

Results of the special project for the last season

As part of the special project “Come on in!”, more than 700 organizations from various fields made over 900 offers to city residents and tourists. These were discounts and bonuses, free master classes, gastronomic tastings, tickets to performances and sports classes. More than six thousand people took advantage of them.

Art pavilions of the Made in Moscow project

On April 15, a selection began among the capital’s entrepreneurs who will present their products in the art pavilions of the Made in Moscow project market, which is part of the city’s summer program Summer in Moscow.

The selection will be held for participants of the Made in Moscow project – these are self-employed people, individual entrepreneurs, representatives of small, medium and large businesses that produce children’s goods, clothing and footwear, accessories, household and animal goods and much more in the capital.

To do this, you need to register in the project on the website business.madeinmoscow.rf, having previously familiarized yourself with the conditions (availability of a capital tax identification number, as well as a full or partial production cycle on the territory of Moscow).

A large-scale market of local goods will cover the main tourist sites, including Bolotnaya Square. More than 700 Moscow brands will be able to get space on the shelves for selling goods. Entrepreneurs will not only present their products, but will also hold thematic lectures and master classes, organize prize draws and tastings.

Participation in the summer market “Made in Moscow” is a free measure of support provided to businesses by the capital Department of Entrepreneurship and Innovative Development.

This allows local brands to increase their recognition among city residents, as well as sales of goods that they produce in the city. Thus, last year from August 1 to September 9, as part of the forum-festival “Territory of the Future. Moscow 2030” on Bolotnaya Square, the market of the future “Made in Moscow” was open. It was visited by more than 150 thousand people, and the revenue of the market participants reached 50 million rubles.

It is also worth noting the successful experience of the Made in Moscow magic market as part of the city’s winter program “Winter in Moscow”. It was held from December 20 to February 28 at seven popular sites – from Arbat to Kuznetsky Most. It was visited by more than 570 thousand people. Moscow entrepreneurs sold over 50 thousand goods.

The market became one of the key measures of city support, which was used by more than 500 Moscow brands. A rich entertainment program was organized for guests, including more than 3.5 thousand thematic events, including master classes and fashion shows.

Get the latest news quicklyofficial telegram channel the city of Moscow.

Please note: This information is raw content directly from the source of the information. It is exactly what the source states and does not reflect the position of MIL-OSI or its clients.

Please Note; This Information is Raw Content Directly from the Information Source. It is access to What the Source Is Stating and Does Not Reflect

https: //vv.mos.ru/nevs/ite/154057073/

MIL OSI Russia News –

May 21, 2025

MIL-OSI Australia: New research warns AI alone won’t fix bias in workplace recruitment

Source:

21 May 2025

Artificial intelligence (AI) is increasingly being used in human resources (HR) to streamline processes and enhance decision-making by helping employers efficiently sift through large volumes of job applications.

However, relying on AI tools alone to screen candidates isn’t enough to improve diversity outcomes in workplaces, according to new research by the University of South Australia.

Human resource management expert Associate Professor Connie Zheng, co-director of UniSA’s Centre for Workplace Excellence, has conducted research into how AI can affect hiring decisions when it comes to improving diversity and inclusion by reaching gender quotas, having racially diverse teams and recruiting LGBTIQA+ employees or people with disabilities.

AI tools are being used by some HR professionals to assist in the recruitment process by screening job candidates, responding to applicant emails, or focusing on specialised tasks such as CV screening, job matching or voice and video analysis.

Assoc Prof Zheng says two separate studies into the use of AI to enhance diversity and inclusion in hiring decisions looked beyond whether humans or AI make better choices.

“We explored what conditions help AI tools to actually support more diverse hiring as we found that simply having a reliable AI tool isn’t enough to improve diversity in workplace recruitment,” she says.

“Diversity only improves when the AI system can explain its decisions in terms of diversity, when hiring focuses on qualitative goals and not just numbers, and when an organisation has clear diversity guidelines.

“These factors encourage HR professionals and decision-makers to reflect more carefully on their choices. In short, AI can help improve diversity in hiring, but only when used under the right conditions and organisational support for the application of new technology, as well as clear diversity, equity and inclusion guidelines.”

Despite the growing popularity of AI in many fields including education, health care, manufacturing and finance, many HR professionals are hesitant to adopt the tools.

Assoc Prof Zheng says some companies have several concerns and are reluctant to invest in AI for hiring decisions because they’re apprehensive about the limitations of the technology, particularly in terms of biased data.

She says many also feel their existing HR teams are competent enough to manage recruitment without AI, despite these concerns shifting if HR departments face staffing reductions, increased workloads or heightened demands for efficiency.

“Despite these reservations, many organisations view AI as a way to significantly save costs by streamlining manual processes. Some companies have the mindset that using AI in HR is efficiency driven – it will make them work faster. The main goal of using AI is to expedite the process, particularly when dealing with large volumes of job applications,” Assoc Prof Zheng says.

“With AI, a hirer can use the technology to filter appropriate applicants rather than sifting through hundreds of CVs and job applications manually. The problem when the main goal is efficiency is that diversity issues often then take a backseat.”

Whether the use of AI tools in recruiting helps reduce discrimination or instead intensifies the problem remains a subject of controversial debate. Assoc Prof Zheng’s ongoing collaborative research with HUMAINE – Human Centred AI Network led by Professor Uta Wilkens at Ruhr University Bochum, Germany – has revealed that simply providing a reliable, AI support tool that is considerate of diversity needs doesn’t automatically lead to diversity enhancement.

“Unless the organisation and its hirers are conscious about diversity and justice issues, using AI for talent acquisition isn’t going to lead to more diverse and inclusive outcomes,” Assoc Prof Zheng says.

To access the research papers:

Wilkens, U., Lutzeyer, I., Zheng, C., Beser, A., & Prilla, M. (2025). Augmenting diversity in hiring decisions with artificial intelligence tools. The International Journal of Human Resource Management, 1–38. https://doi.org/10.1080/09585192.2025.2492867
Zheng, C., Wilkens, U. (2025). Antecedents of Enhancing Diversity and Inclusion with AI Tools—An HR Perspective. In: Moussa, M., McMurray, A. (eds) The Palgrave Handbook of Breakthrough Technologies in Contemporary Organisations. Palgrave Macmillan, Singapore. https://doi.org/10.1007/978-981-96-2516-1_12

…………………………………………………………………………………………………………………………

Contact for interview: Connie Zheng, Associate Professor in Human Resource Management, Co-Director, Centre for Workplace Excellence, UniSA, E: Connie.Zheng@unisa.edu.au
Media contact: Melissa Keogh, Communications Officer, UniSA M: +61 403 659 154 E: melissa.keogh@unisa.edu.au

MIL-OSI Economics: Fish Fund Steering Committee advances work on Call for Proposals, welcomes new members

Source: World Trade Organization

The agreement on next steps brings the Steering Committee closer to opening its first Call for Proposals. The Fund will receive funding requests for project grants that will support developing and least developed country (LDC) members to implement the Agreement provided they have ratified it.

The Committee welcomed Barbados, The Gambia, Haiti, Mauritius, Peru, the Philippines, Seychelles, and Sierra Leone as new members to represent beneficiary members while acknowledging the contributions of Djibouti, Fiji, Gabon, Ivory Coast, Nigeria, Peru, Saint Lucia, and Senegal, who served on the Committee since January 2024.

Donor representatives to the Fish Fund will rotate at a later stage. Both donors and beneficiaries may rotate their delegates at any time, provided that at least two LDC members remain on the Committee. All Steering Committee members are required to serve a minimum term of one year.

Eligible and interested members will be able to submit calls for proposals when 101 WTO members have deposited their instruments of ratification. Currently, 99 WTO members have deposited their instruments. After the Call for Proposals is launched, the Secretariat of the Fish Fund will receive proposals for a period of approximately three months, after which all applications will be reviewed and submitted to the Steering Committee.

Deputy Director-General Angela Ellard said:

“It is a pleasure to open today’s meeting and see the tremendous progress made as we near entry into force. Everyone’s hard work – donors, beneficiaries, and partners – has paid off.

The Fund is ready to support the members that have deposited their instruments of ratification and, in so doing, committed to a more environmentally and economically sustainable future and healthier oceans.”

The Steering Committee also approved the Monitoring, Evaluation, and Learning (MEL) Framework for the Fish Fund, a key tool to support the effective implementation of future projects.

Known as the Fish Fund, the WTO Fisheries Subsidies Funding Mechanism was established under Article 7 of the WTO Agreement on Fisheries Subsidies, which was adopted at the 12th Ministerial Conference in 2022. Developing and LDC members that have ratified the Agreement are eligible to submit projects supporting implementation of the Agreement. The Fish Fund will operate in cooperation with relevant international organizations, such as the UN Food and Agriculture Organization (FAO), the International Fund for Agricultural Development (IFAD), and the World Bank.

This was the Steering Committee’s fifth meeting since the Fish Fund became ready to accept voluntary contributions from WTO members in November 2022. The contributing members thus far are Australia, Canada, the European Union, Finland, France, Germany, Iceland, Japan, the Republic of Korea, Liechtenstein, the Netherlands, New Zealand, Norway, Portugal, Spain, Sweden, the United Arab Emirates, and the United Kingdom.

A total of 111 ratifications from WTO members are needed for the Agreement to enter into force. So far,99 instruments of acceptance of the Agreement have been received. The full list is available here.

More information on the Fish Fund is available here.

Share

MIL OSI Economics –

May 21, 2025

MIL-OSI Europe: Written question – Importance of regional airport infrastructure – E-001864/2025

Source: European Parliament

Question for written answer E-001864/2025
to the Commission
Rule 144
Markus Ferber (PPE), David McAllister (PPE), Stefan Köhler (PPE), Christian Doleschal (PPE)

Europe’s many regional airports enable international exchange and connect citizens, companies and SMEs from all over Europe with the world.

Despite this key role for economic activity, in recent years the financial situation for regional airports has worsened mainly due to extrinsic shocks, such as the COVID-19 crisis, global turbulence in the aviation sector and Russia’s war against Ukraine. The financial situation of many regional airports is bleak, threatening their core existence and endangering their important role for societies and regional prosperity.

In this light I would like to ask:

1.Will the Commission, in its evaluation of the aviation State aid guidelines, consider the need for maintaining and modernising Europe’s regional airport network, which is not only about mobility, but also about safeguarding jobs and innovation in its industrial sectors?
2.Could the Commission support a framework where State aid rules take into account the long-term industrial and technological strategies of Germany, particularly in relation to decarbonised aviation?
3.How will the Commission assess the need for German regional airports to remain ready to support the rollout of electric aircraft and other innovations that are critical to the competitiveness of Germany’s industry?

Submitted: 8.5.2025

Last updated: 20 May 2025

MIL OSI Europe News –

May 21, 2025

MIL-OSI: Societe Generale_ Combined General Meeting and Board of Directors dated 20 May 2025

Source: GlobeNewswire (MIL-OSI)

COMBINED GENERAL MEETING AND BOARD OF DIRECTORS DATED 20 MAY 2025

Press release

Paris, 20 May 2025

Combined General Meeting

The General Meeting of shareholders of Societe Generale was held on 20 May 2025 at CNIT Forest, 2, Place de la Défense, 92092 Puteaux and was chaired by Mr. Lorenzo Bini Smaghi.

Quorum was established at 64,34% (vs 55.61% in 2024):

687 shareholders participated by attending the General Meeting in person at the place where it was held on 20 May 2025;
1,057 shareholders were represented at the General Meeting by a person other than the Chairman;
13,140 shareholders voted online;
2,400 shareholders voted by post;
8,767 shareholders, including 2,500 online, representing 1.07% of the share capital, gave proxy to the Chairman;
A total of 26 051 shareholders were present or represented and participated in the vote.

The agenda item, with no vote, was an opportunity to present and discuss with shareholders the Group’s climate strategy and social and environmental responsibility.

In addition, 9 shareholders sent 56 written questions prior to the General Meeting. The answers were made public before the General Meeting on the institutional website.

All the resolutions put forward by the Board of Directors were adopted, in particular:

The 2024 annual company accounts and annual consolidated accounts;
The dividend per share was set at EUR 1.09. It shall traded ex-dividend on 26 May 2025 and will be paid from 28 May 2025;
The renewal of two independent directors for 4 years: Mr. William Connelly and Mr. Henri Poupart-Lafarge;
The appointment of two independent directors for 4 years: Mr. Olivier Klein and Mrs. Ingrid-Helen Arnold;
The renewal of Mr. Sébastien Wetter’s mandate as Director representing the employee shareholders;
The compensation policy for the Chairman, Chief Executive Officer, the Deputy Chief Executive Officers and the Directors;
The components composing the total compensation and the benefits of any kind paid or awarded for the 2024 financial year to the Chairman and the Chief Executive Officer and the Deputy Chief Executive Officers;
The authorisation granted to the Board of Directors to purchase ordinary shares of the Company was renewed for 18 months up to 10% of the share capital;
The authorisation for capital increases, enabling the issue of shares in favour of employees under a company or group saving plan, was renewed for 26 months;
The amendments to the Articles of Association to take account of the entry into force of the “Loi Attractivité” (no. 2024-537 dated 13 June 2024).

The detailed voting result is available this day on the Company’s website in the item “Annual General Meeting”.

Board of Directors

Following the renewals and appointments of directors, the Board of Directors is composed of 15 directors, including (i) 2 directors re-elected by the employees in March 2024 and (ii) 1 director representing employee shareholders appointed by the General Meeting and one non-voting director.

Accordingly, the Board of Directors is composed as follows:

Mr. Lorenzo Bini Smaghi, Chairman;
Mr. Slawomir Krupa, Director;
Mrs. Ingrid-Helen Arnold, Director;
Mr. William Connelly, Director;
Mr. Jérôme Contamine, Director;
Mrs. Béatrice Cossa-Dumurgier, Director;
Mrs. Diane Côté, Director;
Mrs. Ulrika Ekman, Director;
Mrs. France Houssaye, Director elected by employees;
Mr. Olivier Klein, Director;
Mrs. Annette Messemer, Director;
Mr. Henri Poupart-Lafarge, Director;
Mr Johan Praud, Director elected by employees;
Mr. Benoît de Ruffray, Director;
Mr. Sébastien Wetter, Director representing employees shareholders;
Mr. Jean-Bernard Lévy, Non-voting Director (“censeur”).

The Board of Directors is made up of 41,7% women (5/12) and 91,7% independent directors (11/12) if we exclude from the calculations the three directors representing the employees in accordance with paragraph 1 of Article L. 225-23 of the Commercial Code, paragraph 2 of Article L. 225-27 of the Commercial Code and the AFEP-MEDEF code. In order to ensure compliance with a forthcoming legislative change scheduled for mid-2026, the Board of Directors has already decided, for the General Meeting of May 2026, that shareholders will be invited to replace a man director, whose term of office will expire, by a woman director.

The Board of Directors held after the General Meeting has decided that, as of 20 May 2025, the Board committees will be composed as follows:

Audit and Internal Control Committee: Mr. Jérôme Contamine (chairman), Mrs. Diane Côté, Mrs. Ulrika Ekman, Mr. Olivier Klein and Mr. Sébastien Wetter;
Risk Committee: Mr. William Connelly (chairman), Mrs. Ingrid-Helen Arnold, Mrs. Béatrice Cossa Dumurgier, Mrs. Diane Côté, Mrs. Ulrika Ekman, Mr. Olivier Klein and Mrs. Annette Messemer;
Compensation Committee: Mrs. Annette Messemer (chairwoman), Mr. Jerome Contamine, Mr. Benoit de Ruffray and Mrs. France Houssaye;
Nomination and Corporate Governance Committee: Mr. Henri Poupart-Lafarge (chairman), Mr. William Connelly, Mme Diane Côté and Mr. Benoit de Ruffray.

Biographies

Mr. William Connelly is a graduate of Georgetown University in Washington (US). He began his career in 1980 at Chase Manhattan Bank, where he worked for 10 years, before joining Baring Brothers from 1990 to 1995. He then held various executive positions within ING Group NV from 1995 until he became a member of The Management Board, where he was responsible for Wholesale Banking from 2011 to 2016. He was also the CEO of ING Real Estate from 2009 to 2015. In addition to his mandate as an independent director of Societe Generale since 2017, he currently is the Chairman of the Board of Directors of Amadeus IT Group and the Chairman of the Board of Directors of Aegon until the second half of 2025. He also served as an independent director of Singular Bank from February 2019 to April 2023. During its session on 10 April 2025, the Societe Generale Board of Directors selected William Connelly for the Chairmanship as of the General Meeting which will be held on 27 May 2026. He will succeed Lorenzo Bini Smaghi, who has been Chairman since 2015, and will have completed his third term.

Mr. Henri Poupart-Lafarge, Graduate of École polytechnique, the École nationale des ponts et chaussées and the Massachusetts Institute of Technology (MIT). He began his career in 1992 at the World Bank in Washington D.C. before moving to the French Ministry of the Economy and Finance in 1994. He joined Alstom in 1998 as Head of Investor Relations and was in charge of Management Control. In 2000, he was appointed Chief Financial Officer of Transmission and Distribution at Alstom, a position he held until 2004. He was Chief Financial Officer of Alstom from 2004 until 2010 and became President of Alstom Grid from 2010 to 2011. On 4 July 2011, he became Chairman of Alstom Transport, before being appointed Chairman and Chief Executive Officer in February 2016, a position he held until June 2024. Since then, he has been Chief Executive Officer and Director of Alstom.

Mr. Olivier Klein, Graduated from the Panthéon‑Sorbonne University in 1978 with a Bachelor’s degree in Economics, from the National School of Statistics and Economic Administration (ENSAE) in 1980, and from HEC’s graduate course in Finance in 1985. He began his career at the BFCE in 1985 and served as manager of the Foreign Exchange and Rate Risk Management Advisory Department, then as Director of the BFCE’s Investment Bank, and finally as Regional Director of its corporate bank. He joined the Caisse d’Epargne group in 1998 and was Chairman of the Executive Board of the Caisse d’Epargne Ile‑de‑France Ouest from 2000 to 2007 and then of the Caisse d’Epargne Rhône‑Alpes from 2007 to 2009. In January 2010, he was appointed Chief Executive Officer of Commercial Banking and Insurance of the BPCE group until September 2012. He was appointed Chief Executive Officer of the BRED group from October 2012 to May 2023. He was a Member of the Supervisory Board of BPCE and its Risk Committee between 2019 and May 2023. He is Chief Executive Officer of Lazard Frères Banque SA and Managing Partner since September 2023. Since 1986, He is teaching macroeconomics and monetary policy at HEC. He is a director of Rexécode since 2018.

Mrs. Ingrid-Helen Arnold, Graduated from the University of Applied Sciences Ludwigshafen in 1997 with a master’s degree in economics. She began her career at SAP SE in 1996, where she held various responsibilities related to innovation and digital transformation. In 2014, she was appointed Chief Information Officer and Business
Processes and extended Member of the SAPExecutiveCommittee. From 2016 to April 2021, she was President of SAP Business Data Network group in Palo Alto (United States) and SAP SE Walldorf (Germany). In 2021, she joined the Südzucker group as Chief Digital Officer and Information tehcnology and member of the Group’s Executive Committee. She is Chief Executive Officer of KAKO GmbH since June 2024. She was a member of the Supervisory Board and a member of the Heineken group Audit Committee from 2019 to 2023. She is a member of the TUI group Supervisory Board since 2020.

Mr. Sébastien Wetter holds a Master degree in Fundamental Physics and graduated from the Lyons Business School (EM Lyon). He began his career at Societe Generale in 1997 in the Strategy and Marketing Division of Societe Generale’s retail bank. Working in the Group’s Organisation Consulting Department from 2002, he performed a range of roles in the Corporate & Investment Banking arm and helped roll out the Group-wide participatory Innovation programme. As of the end of 2005, he joined the Commodities Market Department as Chief Operating Officer holding a global remit, before becoming Head of Business Development in 2008. From 2010 until 2014, he served as General Secretary in the Group’s General Inspection and Audit Division. In 2014, he joined the Sales Division of the Corporate & Investment Bank arm where he held a number of positions: Head of marketing for major French and international clients, then in 2016, Global Chief Operating Officer responsible for the sales teams covering financial institutions. From 2020 to December 2022, he has been a banker managing Societe Generale’s relationship with international financial institutions. He has been a member of the of the Supervisory Board of the Fonds Commun de Placement d’Entreprise (FCPE) since May 2024.

The regulatory declarations on the absence of conflicts of interest and the absence of convictions mentioned on page 140 of the Universal Registration Document filed by Societe Generale on 12 March 2025 with the French market authority (AMF) under number D.25-00088, relating notably to the three directors whose terms of office are renewed remain valid and the two new directors appointed with effect from the General Meeting of 20 May 2025 have made the same regulatory declarations.

Press contacts:
Jean-Baptiste Froville_+33 1 58 98 68 00_ jean-baptiste.froville@socgen.com
Fanny Rouby_+33 1 57 29 11 12_ fanny.rouby@socgen.com

Societe Generale

Societe Generale is a top tier European Bank with around 119,000 employees serving more than 26 million clients in 62 countries across the world. We have been supporting the development of our economies for 160 years, providing our corporate, institutional, and individual clients with a wide array of value-added advisory and financial solutions. Our long-lasting and trusted relationships with the clients, our cutting-edge expertise, our unique innovation, our ESG capabilities and leading franchises are part of our DNA and serve our most essential objective – to deliver sustainable value creation for all our stakeholders.

The Group runs three complementary sets of businesses, embedding ESG offerings for all its clients:

French Retail, Private Banking and Insurance, with leading retail bank SG and insurance franchise, premium private banking services, and the leading digital bank BoursoBank.
Global Banking and Investor Solutions, a top tier wholesale bank offering tailored-made solutions with distinctive global leadership in equity derivatives, structured finance and ESG.
Mobility, International Retail Banking and Financial Services, comprising well-established universal banks (in Czech Republic, Romania and several African countries), Ayvens (the new ALD I LeasePlan brand), a global player in sustainable mobility, as well as specialized financing activities.

Committed to building together with its clients a better and sustainable future, Societe Generale aims to be a leading partner in the environmental transition and sustainability overall. The Group is included in the principal socially responsible investment indices: DJSI (Europe), FTSE4Good (Global and Europe), Bloomberg Gender-Equality Index, Refinitiv Diversity and Inclusion Index, Euronext Vigeo (Europe and Eurozone), STOXX Global ESG Leaders indexes, and the MSCI Low Carbon Leaders Index (World and Europe).

In case of doubt regarding the authenticity of this press release, please go to the end of the Group News page on societegenerale.com website where official Press Releases sent by Societe Generale can be certified using blockchain technology. A link will allow you to check the document’s legitimacy directly on the web page.

For more information, you can follow us on Twitter/X @societegenerale or visit our website societegenerale.com.

Attachment

Societe-Generale-Press-release-post-GM-2025_EN

The MIL Network –

May 21, 2025

MIL-OSI Global: Recent spy scandals reveal how western allies are increasingly unreliable friends

Source: The Conversation – UK – By Robert Dover, Professor of Intelligence and National Security & Dean of Faculty, University of Hull

Denmark’s foreign affairs minister Lars Løkke Rasmussen sounded surprised and emotional as he addressed a press conference on May 7. He announced he would call in the acting head of the US embassy in Copenhagen, Jennifer Hall Godfrey, over highly charged allegations that Washington has instructed its intelligence agencies to step up espionage on Greenland and Copenhagen.

According to the Wall Street Journal, US intelligence operatives have been asked to collect information on Greenland’s politicians, independence activists and mining interests that could be leveraged in a potential purchase or coerced transfer of Greenland to the US.

Greenland is a semi-autonomous Danish territory that Donald Trump has stated he would like to become part of the US. The US State Department has refused to comment on the allegations and the director of national intelligence, Tulsi Gabbard, said she was opening an investigation into leaks of classified information.

This looks like a large powerful nation doing all it can to undermine an ally and fellow member of Nato, which is why the Danes are so affronted.

Get your news from actual experts, straight to your inbox. Sign up to our daily newsletter to receive all The Conversation UK’s latest coverage of news and research, from politics and business to the arts and sciences.

The real surprise of the story is that it became so public. But this drama comes at a time of increasingly frosty relations between Denmark and the US, made worse by a visit by US vice-president, J.D. Vance, that didn’t go through diplomatic channels. Even before this, Danish supermarkets were marking US products so consumers could boycott them.

In another case with some parallels to the Greenland spy saga with one ally spying on another, there has been reports of a newly uncovered Hungarian spy ring in Ukraine, collecting military data for Russia. Hungary said the reports were propaganda.

Hungary is, in theory, aligned with Ukraine as a member of the EU and Nato. However, Hungarian prime minister Viktor Orbán has expressed sympathy for Russian agendas and has the closest relationship with Moscow of any current EU leader. Orbán has even repeatedly attempted to block EU aid to Ukraine.

The alleged discovery of a Hungarian spy network may ramp up the creeping distrust of Hungary by other EU members and the sense of it becoming even more closely aligned with Russia.

There has even been a recently reported example of spying going on among countries that are loosely considered allies. North Korean spies were recently caught spying on China, for example.

The Greenland and Hungary episodes, particularly, shed light on how the world order is being remade. We are in the middle of this shift, with technology-enabled intelligence playing a significant part. These episodes demonstrate that governments who thought they were allies are quickly discovering they could be adversaries.

Regulation by revelation

The US’s reported efforts at spying on Greenland and Denmark is a window into intelligence business.

Intelligence efforts against allies are generally only curtailed when they become subject to a public scandal. Intelligence historian Richard Aldrich described this as “regulation by revelation”. The inquiries into these operations normally result in a light censure from politicians or judges, pledges not to repeat the offences and subsequent changes to processes.

Denmark claims the US has been spying on Greenland.

What will happen in the Greenland case is as yet unclear, particularly when the Trump administration has shown itself to be particularly immune from public, media and political challenge. The most effective challenge to hostile activity against Greenland could be any ramifications for international stock market sentiment, but even that is not guaranteed.

The reliance of the US constitution and international law on participants behaving appropriately now looks strained under the Trump administration. The lack of restraint on US power may cause nations to rely more heavily on their own intelligence capabilities.

Intelligence could, as a policy area, begin to mirror that of tariffs and trade as a way that the US can create further uncertainty among other nations about its foreign policy objectives.

Technology makes it easy

But another factor in contemporary intelligence is that nations can now spy on each other much more easily. Technical capabilities are getting cheaper and easier to use.

For instance, communications intercepts, satellite imagery and open source data-analysis spying methods are cheaper than ever before. These approaches offer more insight, because of the development of machine analytics and the ready availability of computing power and data storage.

So, allies will continue to spy on allies because they are able to. That ability drives a demand, even in peace time, to know what other national leaders, and their public, are thinking and doing.

Nations will also aggressively spy at the moment because the world is particularly unstable, and on the edge of conflict in many regions. Understanding where conflicts might erupt, why and with what force and consequence is essential to any nation’s defence posture.

Nations only know what equipment to buy, what resources to stockpile and how many people to employ in their militaries with this insight. Intelligence is as much about avoiding surprise as it is creating the circumstances to surprise others. In this sense, intelligence is just another tool of statecraft.

Most nations have spied on their allies for as long as they have been able. During the cold war the US purchased the Swiss encrypted communications company Crypto AG and sold hundreds of secure communications devices with weakened security, which allowed it to listen in on the countries that were using it and gain intelligence

This type of operation was the forerunner of the widespread intelligence practices of the US National Security Agency, which is in charge of collecting information for counter intelligence purposes, in recent years.

For Denmark, the challenges of working with its allies through Nato, while defending Greenland, are increasingly complex. Meanwhile, the EU will also be concerned about what Hungary is sharing with its other “friends”. International allies and alliances are increasingly untrustworthy as part of 2025 tectonic shifts in global geopolitics. The recent revelations are just part of that moving picture.

Robert Dover has previously received funding from the AHRC around the subject of lessons learned from intelligence operations.

– ref. Recent spy scandals reveal how western allies are increasingly unreliable friends – https://theconversation.com/recent-spy-scandals-reveal-how-western-allies-are-increasingly-unreliable-friends-256353

MIL OSI – Global Reports –

May 21, 2025

MIL-OSI: The Republic of Iceland marked a highly successful return to the Capital Markets in 2025 with a new €750 million 5-year bond

Source: GlobeNewswire (MIL-OSI)

Issuer:	Republic of Iceland
Issuer Rating:	A1/A+/A
Size:	EUR750 million
Lead Managers:	Barclays, BNP Paribas, Citi, JP Morgan
Pricing Date:	20 May 2025
Settlement Date:	27 May 2025
Maturity Date:	27 May 2030 (T+4)
Coupon:	2,625%
Spread to mid-swaps:	m/s+42bps
Spread to benchmark:	OBL 2.400% Apr-30 +52.3bps
Re-offer price:	99,783%
Re-offer yield:	2,672%

Transaction Summary

On Tuesday, 20th May 2025, the Republic of Iceland, rated A1 /A+ /A (stab/stab/stab) successfully returned to the Euro debt capital markets with a new EUR750 million benchmark due 27th May 2030.
The transaction was priced with minimal new issue concession at m/s+42bps, equivalent to a spread of 52.3bps vs the OBL 2.400% Apr-30, whilst amassing over EUR4.3 billion of high-quality orders. This represents the largest conventional orderbook on record for the Republic.
Joint lead managers for the new issue were Barclays, BNP, Citi and JP Morgan.

Pricing and Execution:

On 19th May 2025 at 09:23 UKT, the mandate was announced for a new 5-year Euro-denominated benchmark with 1-on-1 investor calls held with representatives of the Republic throughout the day. The Republic of Iceland concurrently announced an any-and-all tender offer for its EUR500 million 0.625% Notes due 3 June 2026, expiring 5.00pm CEST on Friday, 23rd May 2025.
Following positive investor engagement overnight, initial guidance was released to the market the following day at 08:14 UKT at m/s+50bps area. With orders accelerating in excess of EUR2.8 billion (excl. JLM interest), the Republic revised guidance 5bps tighter to m/s+45bps area (+/- 3bps WPIR) at 10:35 UKT. The high-quality demand supported setting the final size at this stage which was communicated at EUR750 million.
At 11:17 UKT, the high-quality orderbook surpassed EUR3.6 billion (excl. JLM interest) which enabled the spread to be set at m/s+42bps. This represented minimal new issue premium vis-à-vis the issuers EUR curve.
Books officially closed at 11:45 UKT with orders above EUR4.3 billion (excl. JLM interest). This represents the largest conventional ICELND orderbook on record, with only the inaugural Green 10-year ICELND benchmark due Mar-34 attracting higher total demand.
At 14:05 UKT, the new EUR750 million 2.625% May 2030 ICELND benchmark was priced at m/s+42bps with a re-offer yield of 2.672% p.a.

Distribution:

This transaction confirms the strong investor demand for the Republic of Iceland’s credit in the international investor community, with a wide range of investors participating across the United Kingdom and Europe. Accounts from Germany / Austria / Switzerland received 25% of the allocations, Nordics 21%, UK 16%, Sothern EU 13%, Benelux 11%, France 8% and 6% to Others.
By investor type, Fund Managers led the book with 53% of allocations, followed by Central Banks / Official Institutions with 17%, while Banks received 17% and Insurance / Pensions took 12%. Hedge Funds rounded out the remainder of the book with 1% allocation

Attachment

250520 Iceland EUR750mn 5-year (May-30) – Final Press Release

The MIL Network –

May 21, 2025

MIL-OSI Global: Why do protestors use disruptive, confrontational tactics? New research shows they’re not just a last resort

Source: The Conversation – UK – By Mete Sefa Uysal, Lecturer in Social & Political Psychology, University of Exeter

HJBC/Shutterstock

Public protests are on the rise globally, from climate marches and university occupations to roadblocks and mass political demonstrations. These actions may sometimes include confrontational tactics such as civil disobedience, disruption and, at times, violent resistance.

At Columbia University in the US, for instance, pro-Palestine student protests recently captured global attention for their tactics. They ranged from non-confrontational actions such as gatherings and sit-ins to campus encampments and occupations aimed at disrupting daily activities, which eventually led to confrontations with police.

Actions like these often spark debate. Are activists acting strategically, or simply reacting out of desperation and rage? Our new research sheds light on this question. Contrary to popular belief, people do not only turn to confrontational protest because they are desperate or lack political alternatives.

Confrontational protests are frequently portrayed negatively. They are often associated with extremism, disorder, or desperation. So it’s long been a mystery why people choose such confrontational forms of protest, especially given more conventional options like petitions or authorised rallies offer broader public support and visibility.

Get your news from actual experts, straight to your inbox. Sign up to our daily newsletter to receive all The Conversation UK’s latest coverage of news and research, from politics and business to the arts and sciences.

In our surveys of 3,833 people across three countries – Germany, Turkey and the UK – we found that people choose confrontational action when they believe it is effective and legitimate for achieving their group’s political goals.

That said, in some protests, confrontational tactics may emerge spontaneously as a self-defence, driven by immediate threats. But it is not simply an emotional outburst or a last resort: it can be a strategic choice.

This challenges a widely discussed idea in social and political psychology called the “nothing-to-lose” hypothesis. According to this view, people are driven to confrontational protest when they see non-confrontational action (such as voting, petitioning, or authorised marches) as ineffective. This is often because they have little political trust or are oppressed. Our studies ultimately tested this hypothesis.

We found that most people rated non-confrontational actions as more effective than confrontational ones. But they still saw confrontational tactics as worthwhile if they also seemed effective and justifiable.

Interestingly, we discovered that low political trust – a lack of belief that the political system works fairly – did not predict confrontational protest. In fact, it was only weakly linked to perceived effectiveness and legitimacy of such tactics.

While previous theories suggested that people with nothing to lose would be the ones most drawn to radical action, our findings paint a more complex picture. People don’t necessarily need to lose all faith in the political system before considering disruptive protest. Rather, they judge whether a specific tactic will advance their cause and align with their collective moral values.

Just Stop Oil protestors with hands glued to the frame of da Vinci’s The Last Supper.
wikipedia, CC BY-SA

We also found that when people think that protests are more likely to be met with state violence, they are more likely to view confrontational tactics as legitimate and effective. In other words, when crowds foresee push-back, they recalibrate their strategies rather than withdrawing altogether from activism.

Constructive disruption

This research matters now more than ever. From climate movement and pro-Palestine rallies in many countries to anti-government and pro-democracy protests in the US, Turkey, Serbia and Argentina, we are witnessing a global wave of protest crowds.

Understanding what drives people to disruptive and confrontational actions can help both policymakers and the public make sense of protest in today’s divided world. This may be a better option than moralising about good versus bad forms of protests, which serves to silence and criminalise disruptive and confrontational actions.

The former UK home secretary Suella Braverman labelled climate protesters “extremists” and pro-Palestinian protests “hate marches”. She also proposed harsher crackdowns. But such an approach is only likely to make the protests more disruptive.

Similarly, several government responses to UK parliamentary reports on protest policing distinguish “right to peaceful protest” from any kind of disruptive and confrontational activism. They also highlight that the legal definition of “serious disruption” has been widened.

But viewing all disruptive protests as being outside of legal boundaries is likely to create pushback among activists and limit the potential constructive social influence of such protests.

We argue that it’s time to rethink how we talk about confrontational and disruptive protests. Rather than viewing them as irrational, extreme or born of despair, we should understand it as part of a wider repertoire of political action.

Here, labelling a set of protests through binary, moralised terms can lead to overlooking and silencing a crucial and effective protest strategy: constructive disruption. Constructive disruption relies on carefully balancing non-violent but disruptive actions. This can apply pressure for change while signalling positive intent that encourages a conciliatory response to protest.

As a group of social psychologists recently showed, constructive disruption could generate support even among those who are most resistant.

If we recognise that such tactics are often grounded in a sense of justice and strategic reasoning, we can move away from moralistic judgements and toward democratic dialogue by better engaging with the underlying demands that drive them.

As protest movements continue to shape political life around the world, we believe it’s time to take their strategies seriously – not just their slogans.

Mete Sefa Uysal received funding from the International Society of Political Psychology Scholar Under Threat Fund for a part of this study.

John Drury and Yasemin Gülsüm Acar do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.

– ref. Why do protestors use disruptive, confrontational tactics? New research shows they’re not just a last resort – https://theconversation.com/why-do-protestors-use-disruptive-confrontational-tactics-new-research-shows-theyre-not-just-a-last-resort-256716

MIL OSI – Global Reports –

May 21, 2025

MIL-OSI: Sharc Energy’s Wet System Powers Groundbreaking Sen̓áḵw Energy System

Source: GlobeNewswire (MIL-OSI)

VANCOUVER, British Columbia, May 20, 2025 (GLOBE NEWSWIRE) — SHARC International Systems Inc. (CSE: SHRC) (FSE: IWIA) (OTCQB: INTWF) (“SHARC Energy” or the “Company”) is proud to announce its Wastewater Energy Transfer (“WET“) system as the core component of Creative Energy’s Sen̓áḵw Energy System, the district energy system, or thermal energy network, that will be supporting the landmark Vancouver based project, Sen̓áḵw—an ambitious undertaking representing the largest real estate development in Canadian First Nations history. The SHARC WET system has been shipped to the project.

District Energy Systems (“DES”), or Thermal Energy Networks (“TEN”), provide thermal energy to multiple buildings from a central energy plant. Steam or hot water produced at the plant is transmitted 24/7 through highly insulated underground thermal piping networks. Thermal energy is transferred into and from the building’s system through energy transfer stations placed in the building, reducing mechanical room space required for housing equipment and simplifying heating and cooling systems. SHARC Energy enables DES or TENs to leverage wastewater, a forgotten resource, as a low-carbon source of thermal energy to help save energy and reduce carbon emissions on a multiple-building scale.

“We are extremely pleased to announce our partnership with Creative Energy and the Squamish Nation to participate in the rebirth of the historic village of Senakw located in the heart of Vancouver. We are developing a net- zero district heating and cooling system for Sen̓áḵw, which will contain 11 buildings and over 6,000 rental homes, designed to leverage sewer heat recovery as a low-carbon source of thermal energy by extracting heat from one of Metro Vancouver’s nearby sewer trunk mains. Working with SHARC Energy, we will utilize its WET system as the core component for the Sen̓áḵw Energy System,” says Kieran McConnell, Senior Vice President, Engineering & Innovation, Creative Energy.

Sen̓áḵw, is being developed by the Squamish Nation’s economic development arm, Nch’ḵay̓ Development Corporation. Once fully completed, it will comprise 11 buildings featuring over 6,000 rental units across more than 3 million square feet of residential floor space. It is set to become Canada’s largest net zero operational carbon purpose-built community.

Over the next 30 years, the Sen̓áḵw Energy System is projected to reduce carbon emissions by 120,000 tonnes compared to a conventional natural-gas based system. This reduction is equivalent to planting 5.5 Stanley Parks or 165,000 acres of trees. The system will initially provide heating and cooling to each building within the development with the potential for future expansion to accommodate upcoming projects.

Significantly, this project not only represents the first private development in British Columbia to leverage Metro Vancouver’s Sewage and Waste: Heat Recovery policy, but also marks the first private residential development in Canada to harness an external sewer force main as its primary energy source.

“District energy systems powered by renewable sources have significant benefits for the community and for the climate,” said Mike Hurley, Chair of the Metro Vancouver Board of Directors. “We’re pleased to provide access to the abundant heat in our sewers for this project and others like it, which will help us achieve regional carbon neutrality by 2050.”

Currently, there are several WET district energy projects in development in various stages across the lower mainland of British Columbia. Quietly, the Metro Vancouver region is becoming the Wastewater Energy Transfer capital of the world showcasing climate leadership in how other regions globally can leverage a forgotten resource like wastewater to significantly decarbonize heating and gain natural resources like fresh water used in cooling towers. As highlighted in a recent Wall Street Journal article featuring several SHARC WET projects, awareness and education around the untapped reservoir of energy available in the sewers continues to gain momentum.

“SHARC Energy is excited to be at the forefront of this transformative project,” said Michael Albertson, CEO of SHARC Energy. “The Sen̓áḵw development sets a new standard for sustainable urban living, and our WET system is pivotal in realizing this vision.”

In North America, recent years have shown the proliferation of legislation supporting DES or TEN systems. Currently, eight states, including Massachusetts, Minnesota, New York, Colorado, Washington, Maryland, Vermont and California, have legislation that either allows or mandates utilities to develop thermal energy network demonstration projects or pilots.

About SHARC Energy

SHARC International Systems Inc. is a world leader in energy transfer with the wastewater we send down the drain every day. SHARC Energy’s systems exchange thermal energy with wastewater, generating one of the most energy-efficient and economical systems for heating, cooling & hot water production for commercial, residential and industrial buildings along with thermal energy networks, commonly referred to as “District Energy”.

SHARC Energy is publicly traded in Canada (CSE: SHRC), the United States (OTCQB: INTWF) and Germany (Frankfurt: IWIA) and you can find out more on our SEDAR profile.

About Creative Energy

Recognized as a leader in innovative energy solutions, Creative Energy designs, builds, owns, and operates sustainable district energy systems across North America. Our team has a client-focused, community-vested approach to projects that deliver outstanding quality and service while providing tangible value for continued growth. In addition to owning and operating one of Canada’s largest thermal networks in downtown Vancouver, Canada, we provide value to developers, landowners, end-users and the broader community through flexible thermal neighborhood energy systems. Our projects focus on innovation, resiliency, and sustainability, and span across a broad spectrum of technologies including geo-exchange, ocean exchange, cogeneration, microgrids, solar PVs, and sewer heat recovery.

Serving customers for over 55 years with a reliability rate of 99.99%, we’re developing more than a dozen new low-carbon district energy systems across North America, including the revitalization and decarbonization of our downtown Vancouver steam plant which will be one of North America’s largest thermal fuel-switch projects and provide downtown Vancouver with renewable energy infrastructure for decades to come.

Visit our website to learn more https://creative.energy/

ON BEHALF OF THE BOARD

Fred Andriano
Chairman

The Canadian Securities Exchange does not accept responsibility for the adequacy or accuracy of this release.

Forward-Looking Statements

Certain statements contained in this news release may constitute forward-looking information. Forward-looking information is often, but not always, identified using words such as “anticipate”, “plan”, “estimate”, “expect”, “may”, “will”, “intend”, “should”, and similar expressions. Forward-looking information involves known and unknown risks, uncertainties and other factors that may cause actual results or events to differ materially from those anticipated in such forward-looking information. SHARC Energy’s actual results could differ materially from those anticipated in this forward-looking information as a result of regulatory decisions, competitive factors in the industries in which the Company operates, prevailing economic conditions, and other factors, many of which are beyond the control of the Company. SHARC Energy believes that the expectations reflected in the forward-looking information are reasonable, but no assurance can be given that these expectations will prove to be correct and such forward-looking information should not be unduly relied upon. Any forward-looking information contained in this news release represents the Company’s expectations as of the date hereof and is subject to change after such date. The Company disclaims any intention or obligation to update or revise any forward-looking information whether because of new information, future events or otherwise, except as required by applicable securities legislation.

A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/cb4c2081-233f-4ac1-b579-6ceb7d7449da

The MIL Network –

May 21, 2025

MIL-OSI Economics: Lufthansa Group: Winter flight schedule published and now available for booking

Source: Lufthansa Group

Lufthansa Group’s passenger airlines, including Lufthansa, Austrian Airlines, SWISS, Brussels Airlines, Eurowings and Discover Airlines, have published their winter flight schedules for 2025/26. The winter flight schedule begins on October 26, 2025. All destinations can be booked now.

“A stable, punctual, and reliable flight schedule for all Lufthansa Group airlines for the winter, especially for the Christmas holidays, is our top priority. Our employees at the airports will ensure that everything runs smoothly. In addition, with the expansion of the Allegris offering at Lufthansa Airlines, we are bringing a significant upgrade in the premium segment to many core markets,” said Dieter Vranckx, Chief Commercial Officer Lufthansa Group.

Winter flight schedule highlights for Lufthansa:

For the 2025/2026 winter flight schedule, Lufthansa will offer additional long-haul flights whereby passengers can enjoy the new Allegris cabin in all classes: Economy, Premium Economy, Business, and First Class. Starting October 26, the new aircraft, with state-of-the-art cabin interiors, will fly daily from Munich to New York (John F. Kennedy and New Jersey-Newark), Chicago, Miami, Shanghai, Cape Town and Tokyo. In addition, Bengaluru in India will be served three times a week. This is the largest number of Allegris destinations operating simultaneously since its debut. Passengers already booked with these flights can now look forward to the Allegris seat.

Ten A350-900s with the new cabin interior are already flying for Lufthansa in the winter schedule. More than half a million passengers in all classes have now enjoyed the new seats with extremely high satisfaction rates of nearly 100 percent. This year, Lufthansa also plans to introduce Allegris in Frankfurt with the Boeing 787-9 and the retrofitting of its existing fleet, starting with the Boeing 747-8.

More news from Lufthansa: due to high demand, flights from Frankfurt to Bydgoszcz (Poland) and from Munich to Oradea (Romania) will continue next winter. These connections were added to the flight schedule in summer 2025. The winter season Airbus A380 destinations from Munich have also been confirmed: A380 enthusiasts can look forward to flights to Los Angeles, San Francisco, Bangkok andDelhi with the A380, which is extremely popular with guests and crew alike.

Further news from Lufthansa Group Airlines:

Austrian Airlines will add Amsterdam as a fourth destination from Innsbruck this winter, in addition to its existing connections to Brussels, Warsaw, and Copenhagen. Austrian Airlines is also expanding its service from Vienna to Bangkok: up to two daily connections are now on the flight schedule. From October 26, 2025, Austrian Airlines will now fly to Linate Airport instead of Malpensa for all flights to Milan. This change was made by taking over the corresponding slots from ITA Airways, which, like Austrian Airlines, has been part of the Lufthansa Group since the beginning of the year. Linate Airport is much closer to Milan, significantly reducing the travel time to the city center for passengers.

SWISS is expanding its service to the Polish city of Krakow. In addition, the destinations Cluj-Napoca (Romania) and Košice (Slovakia), which were served for the first time last winter, will continue to be served from Zurich. The long-haul destination Washington D.C. (USA) will also continue from Zurich this winter. From Geneva, SWISS is focusing on connections to and from the UK, Ireland, and Scandinavia – especially for winter sports travelers planning a vacation in Switzerland.

Brussels Airlines is continuing to expand its services from Brussels to Africa. Lomé (Togo), Dakar (Senegal), Conakry (Guinea), Monrovia (Liberia), Accra (Ghana), and Freetown (Sierra Leone) will all receive additional weekly connections. Brussels Airlines is thus strengthening its role as the “Africa expert” within the Lufthansa Group.

Eurowings, Germany’s largest leisure airline will connect Berlin with Abu Dhabi with three non-stop flights per week beginning in November 2025. After Dubai and Jeddah, this will be the third long-distance route for the German capital within a short space of time. The Berlin service to the booming metropolis of Dubai will also be expanded: Eurowings will fly to Dubai up to eleven times a week (instead of the previous seven times a week). Eurowings is also providing a real winter highlight in Lower Saxony: With the inaugural flight on November 4, there will be three direct flights a week from Hanover to Dubai. The third new destination will be reached from Baden-Württemberg: Eurowings will connect Stuttgart with Jeddah in Saudi Arabia twice a week going forward. The program to Egypt is also being expanded: In the new winter flight schedule 25/26, Eurowings will be flying to Marsa Alam from Cologne, Hamburg and Berlin.

Discover Airlines is adding another highlight to its route network: starting in winter 2025/26, the leisure-focused airline will fly non-stop from Frankfurt to the Seychelles for the first time. This is a first for the Lufthansa Group: no airline in the group has ever flown to the island paradise before. Flights to Punta Cana, in the Dominican Republic, are also on the schedule – the only direct connection from Munich to the popular Caribbean vacation destination. Discover Airlines is also adding Alta in Norway to its schedule from Frankfurt for the first time.

MIL OSI Economics –

May 21, 2025

MIL-OSI Europe: 2025 Scholarship for Peace and Security online component concludes following record number of applications

Source: Organization for Security and Co-operation in Europe – OSCE

Headline: 2025 Scholarship for Peace and Security online component concludes following record number of applications

The online component of the 2025 OSCE Scholarship for Peace and Security concluded on 16 May. In total, 137 young professionals, selected from a pool of over 2,500 applicants, completed six weeks of intensive virtual learning and live discussions.
The OSCE Scholarship for Peace and Security, with its strong focus on youth empowerment, contributes to building a new generation of leaders. Conflict prevention and resolution in the context of arms control, disarmament, and non-proliferation were the focus of the discussions between the participants and the instructors. The training programme covered a wide range of topics, including conventional arms control, non-proliferation of small arms and light weapons, weapons of mass destruction, and the prevention of terrorism and violent extremism.
“I now understand so much more about the challenges facing today’s security architecture, the importance of cross-cutting issues, and the vital work the OSCE does to uphold the principles of peacebuilding and conflict resolution,” said Manizha, a participant from Tajikistan.
Another participant, Aysenur from Turkiye, highlighted that the programme not only increased her understanding of arms control and disarmament issues in general but also gave her a deep insight into the OSCE’s comprehensive approach to security.
Looking ahead, a group of selected graduates will be invited to Vienna in November for an on-site training on the work of various international organizations and diplomatic negotiations.
A closing event was held with this year’s participants and representatives from the OSCE participating States supporting the programme; Andorra, Finland, Germany, Italy, Latvia, Spain and the United States.

MIL OSI Europe News –

May 20, 2025

Category: Germany

Executive Summary

Introduction

Description of Targets

Initial Access TTPs

Credential Guessing/Brute Force

Spearphishing

CVE Usage

Post-Compromise TTPs

Malware

Persistence

Exfiltration

Connections to Targeting of IP Cameras

Mitigation Actions

General Security Mitigations

IP Camera Mitigations

Indicators of Compromise (IOCs)

Utilities and scripts

Outlook CVE Exploitation IOCs

Commonly Used Webmail Providers

Malicious Archive Filenames Involving CVE-2023-38831

Brute Forcing IP Addresses

Detections

Customized NTLM listener

HEADLACE shortcut

HEADLACE credential dialogbox phishing

HEADLACE core script

MASEPIE

STEELHOOK

PSEXEC

Further Reference

Works Cited

Disclaimer of endorsement

Purpose

Contact

Appendix B: CVEs exploited

Appendix C: MITRE D3FEND Countermeasures

It’s about more than time outdoors

Rock climbing

Element of physical risk

Addressing potential harms, amplifying benefits

Influence and infrastructure

Executive Summary

Introduction

Description of Targets

Initial Access TTPs

Credential Guessing/Brute Force

Spearphishing

CVE Usage

Post-Compromise TTPs

Malware

Persistence

Exfiltration

Connections to Targeting of IP Cameras

Mitigation Actions

General Security Mitigations

IP Camera Mitigations

Indicators of Compromise (IOCs)

Utilities and scripts

Outlook CVE Exploitation IOCs

Commonly Used Webmail Providers

Malicious Archive Filenames Involving CVE-2023-38831

Brute Forcing IP Addresses

Detections

Customized NTLM listener

HEADLACE shortcut

HEADLACE credential dialogbox phishing

HEADLACE core script

MASEPIE

STEELHOOK

PSEXEC

Further Reference

Works Cited

Disclaimer of endorsement

Purpose

Contact

Appendix B: CVEs exploited

Appendix C: MITRE D3FEND Countermeasures

Cash boost for coastal towns hosting clean energy infrastructure

Notes to Editors