This report contains selected cybersecurity information from 18 April to 1 May 2025.

Synopsis

1. Russia has been replaced by the PRC as the primary cyber threat to the U.S. Despite this threat, the Trump Administration has terminated an investigation into “Salt Typhoon.” The FBI is now asking for public assistance in their ongoing investigation. Are we witnessing the first indicators of a new cyber war? Meanwhile, Russian hackers are highly active: the GRAPELOADER campaign targets European diplomats; Microsoft 365 accounts are used against Ukrainian supporters; Russian hacktivists are expanding their malware arsenals; NoName targets the Netherlands; France expresses frustration over APT28; and cybercriminals target NATO and even Russian organizations.

2. Our assessment is that the three major cyber conflicts—Russia vs. Ukraine, Iran vs. Israel, and the People’s Republic of China—are the most likely sources of next-generation malware and/or primary cyberattack origins. These include state-funded hackers (military, intelligence, and civilian), affiliated hackers (criminals and mercenaries), and volunteer “supporters.”

The Rising Threats from the PRC

3. PRC Masked Its Cyber Espionage Capabilities. At the RSA Conference in San Francisco on Monday, 28 April, retired Rear Admiral Mark Montgomery stated:
   “Russia used to be considered America’s biggest adversary online, but over the past couple of years, China has taken that role and is proving highly effective.”
   Montgomery, a former director for transnational threats on the U.S. National Security Council, emphasized that while the U.S. focused on defense, China honed its offensive cyber skills.
   “For two decades, we said China did intellectual property theft and minor espionage. Now, we see they’re a major player. China’s bold Typhoon penetration revealed their growing capability. ‘Salt Typhoon’, executed alongside ‘Volt Typhoon’, involved traditional Chinese intelligence hacks into communications systems, while ‘Volt Typhoon’ targeted U.S. critical infrastructure. I think the Chinese Communist Party has gotten wicked good at this.”

4. Investigating Committee Terminated by Trump Administration. Former members of the Department of Homeland Security’s Cyber Safety Review Board (CSRB) have spoken out after the Trump Administration ended their investigation into ‘Salt Typhoon’. The campaign involved compromising at least nine American telecommunications operators, law enforcement wiretapping platforms, and dozens of global telecom providers. Hackers also targeted the communications of politically connected individuals, including associates of President Donald Trump and Vice President JD Vance.
   Former board members warn that disbanding the CSRB undermines efforts to mitigate future cyber incidents, and that ‘Salt Typhoon’ remains active.

5. Expert Opinion on CSRB Termination.
   Laura Galante, former head of the Office of the Director of National Intelligence’s Cyber Threat Intelligence Integration Center during the Biden administration, said:
   “Cutting off that investigation into Salt Typhoon early really limits the telecom sector’s ability to understand, from all sides—intelligence, law enforcement, and victims—how we can improve. It shortchanges our national security.”

6. FBI Seeks Public Help. On 24 April, the FBI issued a notice seeking information on the Salt Typhoon campaign. According to the bureau, the hacks “resulted in the theft of call data logs, a limited number of private communications involving identified victims, and the copying of information subject to court-ordered U.S. law enforcement requests.”
   Analyst Comment: It is unclear what information the FBI realistically expects the public to provide.

7. Analyst Comment on Salt and Volt Typhoon. The more these campaigns are examined, the more dangerous they appear. These are not merely espionage efforts—they potentially allow attackers to disable telecommunications and critical infrastructure. Investigators believe these operations are ongoing.
   Regarding the CSRB termination: While advisory boards can be bureaucratic, the CSRB had unique insight and the potential to help victims understand and mitigate PRC cyber threats. Its loss represents a degradation in U.S. cybersecurity readiness.

India vs. Pakistan

8. Pakistani Hackers Hit Indian Military Websites. Following the 22 April terrorist attack on tourists in Kashmir, a group calling itself “IOK Hacker” or “Internet of Khilafah” attacked several Indian military-affiliated websites, including those of the Army Public Schools in Srinagar and Ranikhet. The sites were digitally defaced with propaganda.
   Additional targets included the Indian Army Welfare Housing Organization and the Indian Air Force Placement Organization. All affected sites were taken offline and restoration efforts began immediately.

Russia

9. GRAPELOADER Campaign Targets Diplomats. Check Point Research has identified a new campaign by Russian hacker group APT29. The group impersonates the European Ministry of Foreign Affairs and invites targets to fake wine-tasting events. The campaign uses a tool called GRAPELOADER for fingerprinting, persistence, and payload delivery. The presence of newly developed malware suggests this is a serious campaign.

10. Microsoft 365 Exploited in Attacks on Ukrainian Supporters. Russian hacker groups UTA0352 and UTA0355 are targeting individuals and organizations tied to Ukraine and human rights causes. The attackers use links that exploit Microsoft OAuth 2.0 authentication workflows to gain escalating access via Microsoft infrastructure.

11. ICS and OT Systems Targeted. Cybersecurity firm Cyble warns that pro-Russian hacktivists are now attacking Industrial Control Systems (ICS) and Operational Technology (OT), in addition to traditional DDoS campaigns.
    Cyberattacks surged by 50% in March. Cyble reports that hacktivist groups are becoming increasingly sophisticated, elevating them from a nuisance to a serious threat.

12. Dutch Municipalities Attacked. On 28 April, the Russian group NoName057(16) launched a DDoS attack on twenty Dutch municipal websites. The attack disrupted websites in the provinces of Drenthe, Groningen, Noord-Brabant, Noord-Holland, and Overijssel. The stated motivation was the Netherlands’ support for Ukraine.

13. France Frustrated with APT28. On 30 April, French authorities identified APT28—linked to Russia’s GRU—as the group behind recent attacks on a dozen government and institutional targets. Victims included local governments, ministries, aerospace firms, and financial entities. The group uses phishing, vulnerability exploitation, and brute-force attacks.

14. Nebulous Mantis Targets NATO. Cybersecurity firm Catalyst reports that the Russian-speaking espionage group Nebulous Mantis is targeting critical infrastructure, governments, and NATO-linked entities. The group demonstrates strong operational security and advanced techniques, suggesting either state sponsorship or access to significant cybercrime resources.

15. Russian Organizations Targeted by Cybercriminals. Russian firm F6 reports that cybercriminal group Hive0117 is targeting Russian sectors including media, finance, energy, biotech, and retail. The attacks use phishing to deliver a new version of DarkWatchman malware.