State-backed hackers are increasingly sharing their most dangerous cyber weapons with hacktivists who disregard the norms of digital warfare, according to a new report from Dragos.

Why it matters: Critical infrastructure organizations — such as utility operators and food manufacturers — are among the least prepared for cyberattacks due to limited budgets and a shortage of cybersecurity personnel.

• This growing collaboration between nation-state hackers and civilian hacking groups could escalate attacks aimed at shutting down essential services like water systems, rail transport and power grids.

Driving the news: Dragos, a cybersecurity firm specializing in critical infrastructure, released its annual report this morning, detailing new threat groups and emerging tactics.

• The report is considered a must-read for all critical infrastructure operators, and this year's findings include details about both new malware strains and hacker groups specifically targeting critical infrastructure.

The big picture: Geopolitical conflicts are increasingly fueling cyberattacks on civilian infrastructure, Dragos CEO Robert M. Lee told reporters during a press briefing.

• Many nation-state hacking teams and politically motivated civilian hackers tracked by Dragos have shown "interesting connections" over the past year, Lee said.
• Those connections could lead to foreign government hackers, who typically focus on low-frequency, high-impact cyberattacks, sharing their destructive cyber tools with civilian groups that launch far more attacks, the report notes.

What they're saying: "That's something, candidly speaking, most communities simply are not prepared for," Lee told reporters. "It requires a much different level of defense investment than we're currently seeing in the [operational technology] security space."

By the numbers: 70% of vulnerabilities affecting critical infrastructure organizations last year were "deep within the ICS network," meaning that the affected devices were closer to the operational process of running a critical service, according to the report.

• 39% of network vulnerabilities found in 2024 could also cause system operators "both a loss of view and a loss of control."

Zoom in: Dragos also warned about Bauxite, a newly identified hacking group aligned with Iranian interests — noting that it's likely to enhance its capabilities and launch more destructive cyberattacks globally this year.

• Since 2023, Bauxite has carried out at least four cyber campaigns targeting critical infrastructure organizations in the United States, Europe, Australia and West Africa, Dragos said.
• Its targets span key industries, including electricity, oil and gas, water, food and beverage, chemicals, and manufacturing.
• Bauxite members are known to lurk in online forums discussing critical infrastructure technology. They monitor security vulnerabilities in specific software to refine their attack methods.
• The group has exploited vulnerable Sophos firewalls and Unitronics equipment controllers and has scanned devices from Siemens, Cimon Automation and others for weaknesses.

Meanwhile, Dragos researchers identified two new malware strains — Fuxnet and FrostyGoop — deployed last year in attacks that reportedly shut off heat in more than 600 Ukrainian apartment buildings and disabled industrial sensors in Moscow.

Between the lines: Many of these attacks could have been prevented with basic cybersecurity practices, such as changing default administrator passwords and restricting system access.

• Dragos recommends that critical infrastructure organizations update their incident response plans, increase their visibility into their networks so they can better detect new threats, and focus on securing remote access to their most sensitive systems.

North Korea's Lazarus Group is suspected of stealing $1.46 billion in cryptocurrency from Dubai-based exchange Bybit, according to new research from blockchain analytics firm Elliptic.

Why it matters: The heist sets a new record for crypto thefts, underscoring North Korea's growing sophistication in stealing digital assets to fund its regime.

By the numbers: The Bybit theft more than doubles the previous record of $611 million set by the August 2021 hack of Poly Network.

• In that case, most of the stolen funds were eventually returned by the hacker.

Catch up quick: Bybit said last week that hackers had drained nearly $1.5 billion from its ether cold wallet.

• The exchange said operations remained unaffected and customer funds weren't affected.
• But the sheer scale and tactics of the attack remain notable — cold wallets are typically considered a safer storage option since they're offline and harder to breach.

The big picture: Even compared to traditional bank heists, Bybit's theft is unprecedented.

• Elliptic called it "almost certainly the single largest known theft of any kind in all time."
• That record was previously held by Saddam Hussein, who stole $1 billion from the Iraqi Central Bank on the eve of the 2003 Iraq War.

@ D.C.

🇨🇳 The Republican National Committee quietly responded to a China-backed hack of its internal communications in the weeks leading up to this past summer's convention and leaders opted not to report the intrusion to the FBI. (Wall Street Journal)

🇷🇺 Edward Coristine, a 19-year-old coder who is now working at DOGE, is the grandson of a former KGB spy who worked undercover at the Soviet Embassy in the 1980s. (Jacob Silverman)

😵‍💫 The Social Security Administration was actively investigating whether a career employee had improperly shared information with Elon Musk's tech team when President Trump tapped that employee to be an acting commissioner. (Washington Post)

@ Industry

🧳 CrowdStrike chief security officer Shawn Henry is leaving his role by the end of the month, according to a regulatory filing. (Cybersecurity Dive)

🤖 Anthropic has integrated advanced reasoning capabilities into its latest model, Claude 3.7 Sonnet. (Axios)

👀 Clearview AI, the controversial facial recognition company, named two new chief executives — one of whom is a known Trump fundraiser. (The Record)

@ Hackers and hacks

⚠️ A botnet made up of more than 130,000 compromised devices is conducting an active password-spraying attack against Microsoft 365 accounts worldwide. (BleepingComputer)

🗃️ Hackers recently breached DISA Global Solutions, an employee screening service, and accessed the data of more than 3 million people. (TechCrunch)

👻 The FBI and CISA published an advisory warning about a new ransomware gang, Ghost, that has already targeted organizations in more than 70 countries. (Business Insider)

If you've been keeping up with my pottery journey, I finished my cat vase — and a few other items — that I showed you a few weeks ago.

• The color-dyed clay burned out in a weird way (this was originally purple and pink!), but I think it still looks pretty neat.