— Border Cyber Group
May 21, 2026
Salt Typhoon is still inside telecom infrastructure, and the U.S. government has admitted it doesn't know the full scope
Salt Typhoon — the PRC Ministry of State Security-linked group confirmed behind the most significant telecom espionage campaign in U.S. history — has not been evicted. CISA's own executive assistant director for cybersecurity said publicly: "We cannot say with certainty that the adversary has been evicted, because we still don't know the scope of what they're doing." Recorded Future observed Salt Typhoon breaching five additional telecommunications firms between December 2024 and January 2025, continuing to operate despite U.S. sanctions — victims include a U.S.-based affiliate of a prominent U.K. telecom, a U.S. ISP, and telecoms in Italy, South Africa, and Thailand. The FBI confirmed in February 2026 that Salt Typhoon threats remain active and ongoing. Salt Typhoon's confirmed reach extends beyond telecoms to government, transportation, lodging, and military infrastructure networks globally, with at least 600 organizations notified that the hackers had interest in their systems across 80+ nations. Dark Reading + 3
Watch for: CISA and agency partners have acknowledged that initial access methods remain unknown in many confirmed cases — that information gap is itself a significant unresolved problem. Any CISA advisory clarifying initial access vectors would be a priority read. Perkins Coie
Sources: CISA joint advisory AA25-239A (August 27, 2025); Recorded Future/Insikt Group report (February 2025, via TechCrunch); FBI February 2026 confirmation; Global Cyber Alliance AIDE report (December 2025).
[ITEM 2] — BlackLock didn't get taken down by law enforcement. A security firm hacked it first, then a rival ransomware group ate the carcass.
Resecurity researchers discovered a vulnerability in BlackLock's dark web data leak site, exploited it, infiltrated the gang's network, and passed the intelligence to law enforcement — described as the first time a security firm successfully infiltrated a ransomware operation's infrastructure in this manner. The group's operational security collapsed when its clearnet IP was exposed, causing panic among affiliates. On March 20, 2025, BlackLock's leak site was defaced by rival group DragonForce, which exploited the same weakened state — and code analysis showed overlapping structures between BlackLock and DragonForce ransomware, with nearly identical ransom notes. DragonForce subsequently announced a transition to a full ransomware cartel model, absorbed RansomHub's infrastructure and affiliates, and by August 2025 had launched a paid "data analysis service" generating tailored extortion materials for affiliates targeting companies with over $15 million annual revenue. BlackLock is effectively absorbed. DragonForce is the active successor threat. Cybersecurity Insiders + 3
Watch for: DragonForce has been linked to Scattered Spider, The Com, and the broader BlackLock/Mamona lineage — the cartel model means attacks may not carry the DragonForce brand. Watch for RaaS attacks from new affiliate brands operating on DragonForce infrastructure. Trend Micro
Sources: Resecurity blog post (March 2025); Loginsoft analysis (January 2026); Searchlight Cyber report (March 2026); Trend Micro DragonForce spotlight; Sophos CTU research (May 2025).
[ITEM 3] — Ivanti's Neurons for ITSM has real vulnerabilities — but they're not the pre-auth RCE the original item implied
Ivanti disclosed two vulnerabilities in Neurons for ITSM in April 2026, CVE-2026-4913 (CVSS 5.7) and CVE-2026-4914 (CVSS 5.4), both rated medium severity, both requiring authenticated access, with no evidence of exploitation in the wild at time of disclosure. However, the broader Ivanti vulnerability pattern is legitimately alarming: a separate critical vulnerability, CVE-2025-22462 with a CVSS score of 9.8, disclosed in July 2025, allowed a remote unauthenticated attacker to bypass authentication and gain administrative access to Ivanti Neurons for ITSM — affecting versions 2023.4, 2024.2, and 2024.3. Ivanti's sustained vulnerability disclosure cadence across its product line — Connect Secure, Policy Secure, ITSM — remains a genuine concern for enterprise defenders. The pattern is real even where this specific claim was not. GBHackersrunZero
Watch for: On-premise deployments of Ivanti Neurons for ITSM running versions prior to 2025.4 remain unpatched unless administrators manually applied the update through Ivanti's License System. Cloud customers were patched automatically in December 2025. The gap is in on-premise installs.
Sources: Ivanti April 2026 Security Advisory; SecurityWeek (April 15, 2026); runZero Ivanti ITSM analysis (July 2025).
[ITEM 4] — DPRK IT worker infiltrations grew 220% in twelve months. They're using deepfakes in live interviews now and it takes one hour to build the kit.
CrowdStrike's 2025 Threat Hunting Report documented that the number of companies infiltrated by North Korean IT workers grew 220% over the prior twelve months, with operatives placing themselves at more than 320 companies. CrowdStrike investigators observe approximately one incident per day at current tempo. Unit 42 at Palo Alto Networks documented and demonstrated that a single researcher with no image manipulation experience and a five-year-old computer could create a functional synthetic identity for job interviews in 70 minutes — showing how accessible the toolkit has become. The DOJ announced sweeping enforcement on June 30, 2025, including two indictments, searches of 29 laptop farms across 16 states, seizure of 29 financial accounts, and takedown of 21 fraudulent websites. OFAC imposed additional sanctions on July 8, July 24, and August 27, 2025, targeting facilitators in Russia, China, India, and Burma. North Korea's total crypto theft for 2025 reached an estimated $2.02 billion — a 51% increase — with the IT worker scheme generating approximately $800 million in 2024 alone. Fortune + 4
Watch for: Unit 42 identified specific detection techniques — the "ear-to-shoulder," "nose show," and "sky-or-ground" compression artifacts — that help human interviewers detect real-time deepfakes. HR and security teams at companies hiring remote ML/AI engineers should be using these checks now. CrowdStrike has also documented DPRK operatives using AI chatbots to maintain multiple simultaneous employment positions. Palo Alto Networks
Sources: CrowdStrike 2025 Threat Hunting Report; Unit 42/Palo Alto Networks (April 2025); DOJ enforcement announcement (June 2025); Crowell & Moring legal analysis; U.S. Treasury OFAC sanctions notices.
[ITEM 5] — Poland's security agency documented ICS breaches at five water treatment plants. The specific incident in the previous version was invented.
Poland's Internal Security Agency (ABW) published a report in May 2026 documenting a significant escalation in cyberattacks targeting industrial control systems at critical infrastructure during 2024 and 2025, with state-sponsored threat actors shifting focus toward physical disruption of critical services — specifically including ICS breaches at five water treatment plants. A Polish official revealed in August 2025 that a cyberattack could have caused a city to lose its water supply, but the attack was thwarted. Separately, Denmark attributed a 2024 destructive attack on a water utility — which caused pipes to burst and left homes without water — to Russian pro-state group Z-Pentest, while NoName057(16) conducted denial-of-service attacks on Danish websites ahead of recent elections. The threat to European water infrastructure from Russian-affiliated actors is documented. The specific May 19 incident was not. SecurityWeek + 2
Watch for: Poland's ABW report is written in Polish and has received limited English-language coverage. The documentation of state-sponsored ICS targeting at water facilities is significant and deserves more attention than it has received. ENISA's annual threat landscape report will be the authoritative follow-on document.
Sources: SecurityWeek (May 8, 2026) covering ABW report; Associated Press documentation of European Russian sabotage incidents; Danish Defense Intelligence Service statement.
[ITEM 6] — ICE is using Paragon's Graphite spyware. The contract was closed out. What replaced it is unclear — and that opacity is the story.
On September 1, 2025, U.S. Immigration and Customs Enforcement lifted a stop-work order that had paused a $2 million contract with Paragon Solutions — a contract originally signed in September 2024 and frozen within ten days pending compliance review against Executive Order 14093, which restricts U.S. procurement of commercial spyware with counterintelligence risks. In April 2026, ICE confirmed the deployment of Graphite in domestic drug trafficking investigations. Then: a federal procurement notice shows the Paragon contract was modified on January 20, 2026 to close it out — but DHS confirmed it had not "entered another contract with Paragon Solutions, Inc." while declining to clarify whether it retained access to Paragon-developed tools through Paragon's acquirer, REDLattice. Paragon was acquired by U.S. private equity firm AE Industrial Partners and merged with REDLattice, a company with reported ties to U.S. intelligence and special operations contracting. The government's statement that it holds no contract with "Paragon Solutions, Inc." is technically precise in a way that may be deliberately uninformative. Access Now notes that ICE has steadily expanded its surveillance arsenal to include Palantir, Clearview AI, and Cellebrite alongside spyware capabilities. Access Now + 3
Watch for: Whether any contract between ICE and REDLattice appears on federal procurement databases. NPR could not find one as of May 19, 2026. The Citizen Lab and Access Now are both actively monitoring. Congressional inquiries from members on the House Judiciary Committee are pending.
Sources: Access Now (October 2025, updated April 2026); NPR (May 19, 2026); Infosecurity Magazine (March 2026); Immigration Policy Tracking Project; Federal procurement documents via Jack Poulson/All-Source Intelligence.
[ITEM 7] — There were real PyPI supply chain attacks this week. The package that got hit was Microsoft's own durabletask framework library.
Security researchers reported on May 20, 2026 that three malicious releases of Microsoft's durabletask package on PyPI — versions 1.4.1, 1.4.2, and 1.4.3 — carried a Linux-focused Mini Shai-Hulud payload capable of stealing cloud credentials and, under certain conditions, wiping disks. The durabletask package is tied to Microsoft's Durable Task Framework, a workflow orchestration library used in the Azure ecosystem — meaning developers encountering it in a dependency chain treat it as a Microsoft-adjacent package with legitimate provenance, not a suspicious new upload. Additionally, the pytorch-lightning package was compromised on April 30, 2026, with malicious versions 2.6.2 and 2.6.3 containing code that steals developer credentials and republishes infected versions to repositories where stolen tokens have access — a self-propagating mechanism that spread to the npm package intercom-client as well. The LiteLLM compromise in early 2026 used a poisoned GitHub Action to steal PyPI tokens and publish a credential-stealing package — the same end-state reached through a different entry point. Windows Forum + 3
Watch for: Any Azure-connected environment where Python packages were installed or updated in the past week should audit against the durabletask version numbers. The credential exfiltration means some environments are already compromised; the disk-wiping capability means the clock on post-exploitation activity has already started for affected systems.
Sources: WindowsForum/Sonatype (May 20, 2026); Sonatype blog on pytorch-lightning (April 2026); Snyk analysis of elementary-data PyPI compromise and LiteLLM attack chain.
[ITEM 8] — Sandworm pivoted to misconfigured VPN concentrators and edge devices. Amazon documented a four-year campaign in December 2025. This is not new. It's just finally public.
Amazon's threat intelligence team disclosed details of a years-long Russian GRU campaign attributed with high confidence to Sandworm/APT44 targeting Western critical infrastructure between 2021 and 2025, focusing on energy sector organizations across North America and Europe, as well as telecoms and cloud-hosted infrastructure. Beginning in 2025, AWS analysts observed a notable shift: a decline in zero-day and known vulnerability exploitation and a corresponding increase in targeting misconfigured network edge devices, exposed management interfaces, and identity-related weaknesses. Targets included enterprise routers, VPN concentrators, network management appliances, and collaboration platforms. Amazon notified affected customers where it found compromised network appliances. A separate investigation into the December 2025 cyberattack on Polish energy infrastructure — which a Polish deputy prime minister called "an act of Russian sabotage" — found attribution pointing not to Sandworm but to a quieter FSB-linked cluster, suggesting the boundaries between GRU sabotage operations and FSB espionage tradecraft may be blurring. The Hacker News + 3
Watch for: The Amazon report is a primary source document and is publicly available. Organizations running unmanaged VPN concentrators or edge devices in energy and telecom environments that have not reviewed that report should do so immediately. The shift from zero-day exploitation to configuration abuse means the attack surface is in network operations teams' hands, not just patch management.
Sources: Amazon AWS threat intelligence blog (December 16, 2025); The Hacker News/Recorded Future (December 2025); SecureWorld coverage of AWS disclosure; Balkan Insight investigation into Polish energy infrastructure attack (February 2026).
[ITEM 9] — The SEC cyber disclosure rule is under active attack from the industry and the current administration. The loophole is real, but the bigger story is that the rule may not survive. [REGULATORY SIGNAL]
Between December 2023 and early 2025, only 54 companies filed 80 Form 8-K disclosures under the rule — 26 under the material incident provision — with the SEC settling enforcement actions totaling over $8 million in penalties and launching the Cyber and Emerging Technologies Unit in February 2025. Only 17% of filings provided detailed information on material impacts — a gap the SEC itself has flagged as likely to draw regulatory scrutiny. But the rule's future is now genuinely uncertain: On May 22, 2025, a coalition of banking associations including the American Bankers Association and SIFMA petitioned the SEC to rescind the four-business-day incident disclosure requirement entirely. This followed SEC Chair Paul Atkins' April 2025 appointment and a Republican majority on the Commission. The SEC has not yet acted on the petition, but must issue a proposal, solicit public comment, and provide reasoned explanation if it chooses to rescind — the process gives industry time to build the record for repeal. The materiality-timing tension exists structurally: the rule's clock starts at "determination of materiality," which is a legal judgment companies make internally. Compliancehub + 3
Watch for: Whether the SEC publishes a notice of proposed rulemaking to modify or rescind the incident disclosure requirement. The agency has not published its statutorily required Spring 2025 regulatory agenda as of this writing — that absence is itself a signal about the current commission's priorities. The Cyber and Emerging Technologies Unit was stood up under the prior commission's direction; its enforcement posture under the Atkins commission is an open question.
Sources: DLA Piper Market Edge analysis (June 2025); ComplianceHub.Wiki enforcement review (November 2025); SEC formal withdrawal of 14 Gensler-era proposed rules (June 12, 2025); FINRA advisory on Regulation S-P compliance deadlines.
Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.
If you would like to support our work, providing useful, well researched and detailed evaluations of current cybersecurity topics at no cost, feel free to buy us a coffee! https://bordercybergroup.com/#/portal/support
Member discussion: