Cyber Briefing – July 13, 2026
TODAY’S TOP 5
CAMERA HACKS AND NEW RUSSIA WARNING: Russia has been spying on NATO military bases through civilian cameras connected to the internet, Dutch intelligence services said. Kremlin-based hackers accessed the devices to monitor the transfer of military equipment to Ukraine, the AIVD domestic security and MIVD military intelligence agencies said, The Telegraph reports. Their joint investigation found the Russian operation had targeted cameras pointing towards military transport routes in the hope of identifying what weapons were being sent to Kyiv. “Organizations with IP [internet protocol] cameras on these routes have now been warned so that they could take action,” the agencies warned after exposing what they described as a “large-scale Russian operation.”
- International allies strongly urge action to better defend against the threat from Russian state intelligence actors. Eighteen agencies from 12 countries published a new advisory highlighting the methods of Federal Security Service (FSB) Centre 16 cyber actors, who are exploiting vulnerable routers and opportunistically targeting networks belonging to critical national infrastructure (CNI) globally. Sectors most at risk from this global targeting, including communications, defense, energy, financial services, government and healthcare, are subsequently being urged to take action. This includes recommendations to use SNMPv3 and disable legacy SNMP versions, implement strong and unique passwords for network devices, and restrict access to management protocols through appropriate access controls.
- NATO released a joint statement today in which members “strongly condemn Russia’s persistent malicious cyber activities, leveraging its cyber ecosystem to target Allies and NATO partners” and stress that “these activities constitute a threat to Allied security.”
- Soon after troops invaded Ukraine in February 2022, Western leaders expelled hundreds of Russian spies from their capitals and blacklisted companies with ties to the Kremlin. The coordinated effort was intended to make it harder for the Kremlin to collect intelligence and buy equipment like microchips, transmitters and the machinery used to make weapons. Since then, officials say, dozens of those banished spies have turned up in an unexpected place: Japan. The country’s weak espionage laws and flourishing high-tech industry have made it a crucial piece of the Russian war effort, The New York Times reports. Ninety percent of Russian missiles and drones contain Japanese components, according to Ukrainian government estimates.
WHITE HOUSE TO RALLY UTILITIES, DATA CENTERS ON POWER PLEDGE: The White House plans to bring together utility companies and data center developers to make a voluntary pledge designed to ensure that rapid growth in electricity demand from artificial intelligence does not drive up power bills for households and businesses, according to three people familiar with the plans, Reuters reports. An event to announce the initiative is expected in the coming weeks, with several companies taking part and vowing to protect current ratepayers from shouldering all the costs of AI expansion. The guest list is still being finalized, the sources said. Surging demand from power-hungry data centers has prompted regulators, consumer advocates and lawmakers in several states to warn that households could end up subsidizing grid upgrades needed to serve some of the world’s largest technology companies, raising questions over whether the pledge will deliver concrete commitments or remain largely symbolic.
- About 30 miles from Clint McRae’s southeastern Montana ranch, a local utility company bought roughly 6,000 acres of cattle grazing land. After scouring job postings online and talking with local ranchers, he’s deduced that the land might soon be transformed into one of the many large-scale data centers moving into Montana over the past year. McRae’s primary concern is water. It is essential for cattlemen in the western plains who have for years been shrinking their cattle herds in response to droughts. Farmers have emerged as a new foe for data centers, The Wall Street Journal reports.
- Terry Ellis’s fixer wore an overcoat, a multicolored ascot, a Rolex. He had a husky voice and a good suntan. He reminded Ellis of the English actor Ray Winstone, best known for playing hard men in films like “Sexy Beast” and “The Departed.” Ellis, who was himself a hard man, sought inspiration from crime movies, the way an artist scrutinizes the canvases of the great masters; it was a viewing of “Ocean’s Eleven” that had led to the most successful phase of his criminal career. By the winter of 2007, Ellis had become one of his generation’s most dependable, and accomplished, heistmen. The fixer — Ellis called him Ray and won’t reveal his name — met him in North London near Hampstead Heath for coffee and cakes. When it came time to discuss business, to avoid being overheard, they strolled into the park. Ellis’s assignment was to break into a data center and steal around 80 servers that hosted the incriminating files, The New York Times reports.
CROWDSOURCING UAS INTEL: Smartphone apps like Ukraine’s ePPO, which citizens use to report UAS activity, can fill gaps in traditional air defenses. Use of these apps can also be extended to non-state actors such as cartels, who increasingly use UAS to control populations and territory, or beyond the air domain in resistance operations against repressive regimes. In these contexts, smartphone apps are a valuable tool that can be provided by Special Operations Forces (SOF) to civilian populations and guerrilla forces in order to better “arm” to take action, as well as to acquire data for kinetic and non-kinetic SOF responses. However, to be effective in these wider contexts, design and deployment of apps must address considerations including technical collection capability, legal status of citizen reporters, verification and reliability of data, and segmentation and security, Catherine M. Woods writes at Small Wars Journal.
- Ukraine is now demonstrating an alternative — and more effective — means to fight, taking the war deep into Russian territory not simply to punish Moscow, but to disrupt the systems that enable its military to continue fighting, Lt. Gen. David A. Deptula, USAF (Ret.) writes at Air and Space Forces Magazine. This is not a new idea. It is one of the oldest tenets of airpower: Attack the sources of an enemy’s military power directly, paralyze the systems on which the enemy depends, and impose costs that change the adversary’s strategic calculus. What is new is the means. Ukraine is executing strategic attacks with improvised, long-range, one-way uncrewed aircraft — more accurately described as low-cost cruise missiles. It is also employing special operations, maritime strike systems, cyber-enabled intelligence, and adaptive targeting.
FIRE THREAT TO THE GRID: Wildfires are increasingly threatening electric reliability across North America and the communities that depend on a resilient bulk power system. A new Wildfire Mitigation: Canadian Perspectives report identifies key actions to help industry address wildfire-related risks, while NERC’s new Wildfire Action Plan, just filed with the Federal Energy Regulatory Commission (FERC), outlines coordinated work to strengthen wildfire situational awareness, mitigation, engagement and standards development over the next three years. In recent decades, wildfires have grown in frequency, duration and severity, NERC said. These conditions make electric infrastructure more vulnerable, with an increased risk of outages, power line ignitions and other disturbances.
- It is 4:45 a.m. in the fictional town of Riverbend and the internet has just gone down. A tier one national cellular and telecommunications provider is suffering a service outage as a result of a cyberattack by Chinese military hackers, cutting off connectivity to millions of consumers and thousands of commercial and government organizations. For the next three days, one of those organizations, the Riverbend Public Utility, will have to figure out how to keep its 120,000 customers’ water supply flowing and safe, without the ubiquitous connectivity they, and the rest of us, take for granted. Cellular and landline phones don’t work, and neither do SMS-based messaging or alerts systems. There’s no internet access, so no cloud-based services like email, document sharing or timesheet apps. No telemetry from or SCADA connections to Riverbend Public Utility’s handful of remote sites. That was the scenario for last week’s Environmental Protection Agency National Cyber Drill, Gov Info Security reports.
HOW AI CAN HELP TERRORISTS: Terrorist groups have rarely been as technologically innovative as popular perception assumes. At the same time, dismissing technological adaptation would be a mistake, Daniel Byman and V.S. Subrahmanian write at the Center for Strategic and International Studies. Terrorist organizations have demonstrated an ability to absorb existing technologies and employ them creatively. The September 11 attacks combined two established methods — aircraft hijacking and suicide terrorism — in an unprecedented way. At the height of its power, the Islamic State used commercially available social media platforms more effectively than most governments at the time. Today, Hezbollah has integrated drones, precision-guided munitions and information operations into broader political-military campaigns. Terrorists are not technological pioneers in the conventional sense, but they are often capable adopters. AI lowers barriers, optimizes workflows, enables personalization of propaganda and recruitment, and allows smaller groups and individuals to perform tasks that have previously required more manpower, technical expertise, time and money. Although counterterrorism officials should pay attention to how AI can make terrorist operations more successful and lethal, AI will also matter most in the areas of propaganda, recruitment, radicalization, operational support, disinformation and organizational maintenance. Analysts who focus exclusively on spectacular attacks risk misunderstanding how terrorist movements survive and expand.
| OSINT YOU NEED TO START YOUR DAY: The Cyber Briefing is brought to you by the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University. SUBSCRIBE |
| WE WANT TO HEAR FROM YOU: What would you like to see in your morning briefing? Reach out to Executive Editor Bridget Johnson with your comments and suggestions |
CYBER FOCUS PODCAST
(Watch on YouTube or click the player above)
AI is changing the speed and scale of cyber conflict, but the burden on defenders remains the same: they have to protect complex systems all the time, while attackers only need one opening. That imbalance is especially urgent as critical infrastructure, intelligence missions and space systems become more connected, more contested and harder to secure. Chris Jones, chief technology officer at Nightwing and a former senior CIA technology leader, joins Frank Cilluffo on the latest episode of Cyber Focus to discuss what that means for national security. He explains why AI may give attackers a short-term advantage, why many breaches still come down to basic defensive discipline and why even the most advanced tools depend on skilled people, sound judgment and mission-focused teams.
SUBSCRIBE TO CYBER FOCUS: YouTube | Spotify | Apple Podcasts
CYBER AND CI UPDATES
ATTACKS AND INCIDENTS
Breaches
Lidl customers across Europe hit in suspected data breach
Lidl is warning its customers of a cyberattack which may have affected some of their personal information stored with the company. In a data breach notification published on its Netherlands, Belgium, and Germany websites, the German discount supermarket chain said an IT security incident at one of its IT service providers affected some of the data stored by Lidl Online Shop customers. “We were informed of this incident at the beginning of the week,” a machine-translated notification reads. “Despite high IT security standards, unknown persons briefly gained access to a separately stored file with customer data and part of the data was stolen from it. The system of the online shop itself is not affected.” (TECHRADAR.COM)
Communications
Police suspect Dutch hackers were involved in Odido breach
The Dutch National Police (Politie) says it has found “strong indications” that Dutch hackers have been involved in a February breach at the telecommunications provider Odido. “This includes a telephone conversation that was made with Odido customer service shortly before the hack. In this conversation, a Dutch-speaking man posed as Odido’s IT employee. The company was then misled through phishing, after which the data theft took place,” the police said in a Thursday press release. “This type of investigation is often complex and takes time, but cybercriminals are also vulnerable and leave traces. Traces have been secured at several times during the investigation into the hack at Odido, which the research team continued to work on,” added Stan Duijf, the head of operations at the National Investigation and Interventions Unit. (BLEEPINGCOMPUTER.COM)
Cybercrime
Money launderer accused of stealing seized crypto while in prison
A Bulgarian national has been charged with stealing $290,000 in government-seized cryptocurrency while serving 121 months in prison for helping launder millions stolen from American fraud victims. 53-year-old Rossen G. Iossifov appeared in federal court in the Eastern District of Kentucky this Wednesday on charges of removal of property to prevent seizure and conspiracy to commit money laundering. “Iossifov’s deliberate attempt to remove and launder lawfully seized funds is a direct challenge to our justice system and a blatant disregard to his victims’ rights,” said U.S. Secret Service (USSS) Special Agent Robert Holman in a Thursday press release. (BLEEPINGCOMPUTER.COM)
Emergency services
China, India hackers weaponized Pakistan police portal to hit civilians, officers
The findings, published by SentinelLABS, document four distinct cyberespionage campaigns targeting Pakistani law enforcement between February 2024 and April 2026, deploying four separate malware families or frameworks: PlugX, ShadowPad, Cobalt Strike, and Remcos. All four campaigns converged on Balochistan Police, the principal force serving Pakistan’s largest province by area. The report, titled One Target, Two Flags, marks the most detailed public accounting of simultaneous, independent nation-state intrusions into a single law enforcement institution, and its implications extend well beyond South Asia: any government agency that consolidates citizen data, biometric records, and public complaint portals into connected web applications has built the same kind of high-value target that drew two rival intelligence services to Balochistan. (TECHTIMES.COM)
Government
CISA looks to remedy ailments from big May credential leak
A major credential leak spurred the Cybersecurity and Infrastructure Security Agency to strengthen protections for its sensitive materials, improve how researchers can report agency vulnerabilities and develop plans for similar incidents, the agency said in a forensic report released Thursday. The blog post outlines CISA’s response to the leak that the researcher who discovered it in May called one of the worst he had ever seen, which also drew congressional scrutiny. “Sharing experiences from incident response activities help other organizations learn from such experiences and enables them to take necessary precautions to prevent similar incidents from happening in their environments,” wrote Preston Werntz, acting chief information officer and Brad Libbey, acting chief information security officer. (CYBERSCOOP.COM)
Health care
Cybercriminals flock to healthcare businesses as attacks surge
In February, a ransomware attack against the University of Mississippi Medical Center disrupted operations for more than two weeks. In March, a cyberattack on German medical-billing provider Unimed, which services 95% of the nation’s university hospitals and more than half of large clinics, resulted in the theft of sensitive health data for tens of thousands of patients. In the first half of 2026, cyberattacks on the healthcare sector jumped 14%, slightly more than the overall increase of 11% across all industries, according to data from technology research firm Comparitech. While healthcare providers — such as hospitals and doctors’ offices — saw a moderate rise in attacks, healthcare businesses suffered a significant increase of 35% compared with the second half of 2025 and 110% compared with the same six months from the previous year. (DARKREADING.COM)
Centers laboratory data breach affects 540,000 individuals
According to a data breach notice posted on its website, the New Jersey-based provider of testing and laboratory services for healthcare organizations discovered an intrusion in its IT environment in August 2025. An investigation showed that threat actors had gained “limited access” to Centers Laboratory systems between August 9 and August 14, exfiltrating personal and protected health information, including names, dates of birth, SSNs, driver’s license or state identification numbers, passport numbers, and health insurance and medical information. (SECURITYWEEK.COM)
WATCH: White House National Cyber Director Sean Cairncross, CISA Acting Director Nick Andersen and more top leaders at the recent McCrary Cyber Summit
THREATS
Artificial intelligence
Anthropic and OpenAI security tools could fuel cyberattacks, researchers warn
As organizations turn to Anthropic and OpenAI-powered agents to automate vulnerability discovery and patch management, researchers have warned that the extensive access these tools require could transform them into potential attack vectors. A new report published by the AI Now Institute on July 8 by Heidy Khlaaf, chief AI scientist, and Boyan Milanov, senior research scientist, demonstrated a proof-of-concept (PoC) exploit that enables remote code execution in two of the most used AI-powered command-line interfaces (CLIs), Anthropic’s Claude Code and OpenAI’s Codex. The exploit affects Claude Code when used with Claude Sonnet 4.6 and 5, as well as Opus 4.8 and Codex when used with GPT-5.5. (INFOSECURITY-MAGAZINE.COM)
New VEXAIoT AI agents autonomously exploit IoT vulnerabilities with 95% success rate
VEXAIoT, an autonomous multi-agent framework designed to discover and exploit vulnerabilities in the Internet of Things (IoT) within controlled test environments. In 200 attack trials against the intentionally vulnerable IoTGoat platform, the system completed 189 attacks, achieving an overall success rate of 94.5% (rounded to 95%). VEXAIoT, short for Vulnerability Exploitation using AI Agents for IoT, utilizes two coordinated large language model (LLM) agents: a vulnerability-detection agent and an attack-execution agent. (GBHACKERS.COM)
Cryptocurrency
Tangem wallet cards vulnerable to laser fault attack
Tangem sells its wallet as a credit-card-shaped cold-storage device built around a Samsung S3D232A secure element certified to EAL6+, a high assurance level under the Common Criteria security-certification framework. The chip handles key generation, storage, and transaction signing, and the master key never leaves the card. Physical possession of the card plus the correct password are the two factors that gate access to the funds it holds, according to Ledger Donjon. (SQMAGAZINE.CO.UK)
Fresh ATM crypto software bugs: Jackpot or bust?
A researcher has discovered nine vulnerabilities in an ATM and corporate security program. The researcher and major ATM manufacturer Diebold Nixdorf disagree, though, about whether it could allow attackers to steal cash or not. At Black Hat USA 2026, Matt Burch, principal security researcher for Atredis Partners, will present nine new vulnerabilities he discovered in CryptWare CryptoPro Secure Disk. CryptoPro, for short, is a full‑disk encryption (FDE) and pre‑boot authentication solution for Windows that, strangely, is marketed to both corporations generally and ATM manufacturers specifically. (DARKREADING.COM)
Malware
New MODBEACON RAT uses gRPC streaming for encrypted C2 traffic
The China-linked cybercrime group known as Silver Fox has been attributed to a new Rust-based remote access trojan (RAR) called MODBEACON. Chinese cybersecurity company QiAnXin said that while the threat cluster may appear like a low-sophistication, high-activity operation that propagates malware via counterfeit installers using SEO poisoning techniques, it belies their true organizational structure, which compromises multiple distributors. “These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Gh0st RAT and WinOS (ValleyRAT) trojan families,” QiAnXin said. (THEHACKERNEWS.COM)
RedHook Android malware now uses Wireless ADB for shell access
A new version of the RedHook Android malware abuses the Android Wireless Debugging (Wireless ADB) mechanism in a novel way to gain shell-level privileges without requiring a computer connection. Researchers at cybersecurity company Group-IB analyzed the new release of the mobile malware and say that it significantly expands its capabilities compared to the previous variant documented in 2025. At the same time, the malware retains its remote access trojan (RAT) features, allowing it to stream the screen, intercept keystrokes, automate UI interactions, and steal credentials. (BLEEPINGCOMPUTER.COM)
Manufacturing
Nation-state actors are increasing attacks on manufacturing OT and ICS environments
Manufacturing organizations are facing a broader and more diverse threat landscape as nation-state espionage campaigns converge with financially motivated attacks, according to CYFIRMA’s latest industry report. Researchers observed manufacturing in 20 of 42 tracked APT campaigns during the past 90 days, involving the widest mix of China-linked groups seen across any industry alongside North Korean, Iranian, Russian and Pakistani threat actors. The report warns that attackers are increasingly targeting operating systems and host-level assets, underscoring growing exposure across OT (operational technology) and ICS (industrial control system) environments. (INDUSTRIALCYBER.CO)
Phishing
Misconfigured server reveals three Evilginx phishing operations targeting Microsoft 365
An attacker running a live Microsoft 365 phishing operation left a Python web server listening on a public port with directory listing switched on. The command that did it: python3 -m http.server 8080, was still sitting in the readable .bash_history. From that one lapse, French security firm Lexfo lifted the operator’s entire toolkit and pivoted through it to two more phishing operators, three campaigns in all. Each ran a custom fork of the open-source Evilginx proxy, cloned from public GitHub. The largest of the three had been running for more than a year, its victims overwhelmingly corporate mailboxes. (THEHACKERNEWS.COM)
Spear-phishing campaign uses Proton Drive links and LNK files to deliver SpyGlace
The APT-C-60 threat actor has continued targeting Japanese organizations with a spear-phishing campaign that abuses Proton Drive, Windows shortcut files, trusted developer platforms, and native Windows utilities to deliver the SpyGlace malware. While the group retains several established tradecraft elements, including the abuse of legitimate services and the use of git.exe to execute malicious scripts, the latest attacks introduce Proton Drive as a file-distribution mechanism and expand the list of platforms used for payload hosting. (GBHACKERS.COM)
Supply chain
Jscrambler npm package compromised: A security vendor becomes the supply chain risk
On Saturday, a malicious version of the jscrambler npm package was published to the npm registry using a compromised publishing credential. Version 8.14.0 shipped a preinstall hook that silently drops and runs a Rust infostealer on Windows, macOS, and Linux. The payload targets cloud credentials, CI tokens, browser sessions, crypto wallets, Bitwarden vaults, and the config files of AI coding tools like Claude Desktop and Cursor. Jscrambler deprecated the release and reports zero confirmed downloads so far, with the investigation ongoing. (SECURITYBOULEVARD.COM)
Vulnerabilities
Progress warns ShareFile Users: shut down on-premises servers immediately
Progress Software late Friday evening sent emails urging admins to shut down on-premises ShareFile Storage Zone Controllers servers due to a likely exploitation by threat actors. The company has implemented a two-step lockdown on ShareFile accounts using Storage Zone Controllers. Progress itself temporarily disabled these accounts and also alerted ShareFile customers to immediately pull the plugs on Storage Zone Controllers “out of an abundance of caution.” (CYBERNEWS.COM)
WP-SHELLSTORM campaign mass-compromises WordPress sites via plugin vulnerabilities
A recently exposed hacker server has revealed the full scope of the WP-SHELLSTORM campaign, a mass exploitation operation targeting thousands of WordPress sites globally. The adversaries behind WP-SHELLSTORM leveraged a suite of automated tools to scan for and exploit known vulnerabilities in popular WordPress plugins, deploying persistent webshells and advanced backdoors. The exposed infrastructure, discovered by security researchers, provided unprecedented insight into the attackers’ tactics, techniques, and procedures (TTPs), as well as the breadth of their victimology. This report details the technical aspects of the campaign, the threat actor profile, exploitation methods, and actionable mitigation strategies for organizations at risk. (RESCANA.COM)
Six new U-Boot flaws could let malicious image crash devices or run code at boot
Researchers at firmware security firm Binarly have found six new flaws in U-Boot, the small program that starts up hardware as varied as home routers, smart cameras, and the management chips inside data-center servers. Four of the bugs can crash a device. The other two could let an attacker who slips a malicious image in front of the bootloader run their own code, before the device has confirmed that the software is genuine. That last part is the point. A bootloader runs before the operating system, so a flaw here can undermine everything that loads after it. All six bugs are reached while U-Boot is still reading an untrusted image, before it has checked the signature. (THEHACKERNEWS.COM)
Organizations warned of exploited Joomla extension vulnerabilities
Threat actors have been exploiting critical vulnerabilities in the Balbooa Forms and iCagenda Joomla extensions that allow unauthenticated attackers to achieve remote code execution (RCE). The Balbooa flaw, tracked as CVE-2026-56291 (CVSS score of 10), is described as an unauthenticated arbitrary file upload issue affecting the extension’s frontend attachment upload endpoint. Balbooa Forms version 2.4.1 was released on July 9 with patches for the bug, but threat actors were observed exploiting it in the wild as a zero-day. (SECURITYWEEK.COM)

ADVERSARIES
China
Beijing tightens control over outbound investment
A new State Council administrative regulation is the first in the People’s Republic of China (PRC) to govern outbound investment as a whole. It defines “resident individuals” as outbound investors for the first time, subjecting private overseas investment to the approval, reporting, security-review, and penalty framework that previously only encompassed enterprises. The regulation arrived amid an escalating campaign against the offshore brokers through which mainland households bought U.S. stocks. This has led to penalties against the firms Futu, Tiger, and Longbridge in May, and an eight-department plan imposing a two-year, sell-only wind-down of existing mainland accounts. The regulation includes a national security review mechanism that applies not only to new investments but to the transfer, disposal, and offshore reinvestment of assets already held. But implementing rules that would let holders file or regularize are yet to be issued. (JAMESTOWN.ORG)
China recovered its first reusable rocket and showed a new way to do it
China’s sprawling state-owned rocket developer, maker of the country’s Long March rocket family, announced it recovered a reusable orbital-class booster for the first time Friday in the South China Sea. The milestone mission began with the liftoff of a Long March 10B rocket from the Wenchang Commercial Space Launch Site on Hainan Island, China’s southernmost province. Powered by seven kerosene-fueled engines, the approximately 209-foot-tall (63.6-meter) rocket took off at 12:15 am EDT (04:15 UTC), or 12:15 pm local time at the seaside spaceport at Wenchang. About 10 minutes later, the Long March 10B booster descended from space and guided itself into a four-legged frame affixed to an offshore vessel. (ARSTECHNICA.COM)
‘Anytime, anywhere’: Xi’s missile launch sends a clear warning
OPINION: China tested a nuclear-capable long-range ballistic missile launched from a nuclear- powered submarine over the Pacific this week. It was clearly a warning, but for what purpose and to achieve what strategic effect? When something is done to issue a warning, the clues cannot be too obscure or difficult for others to piece together. That is the point of a warning. Additionally, there is a Chinese strategy behind it and reasons for the missile test being performed this week. We can’t prevent China from doing this. What we can do is ensure the action does not achieve the strategic effect that Beijing is after. (HUDSON.ORG)
Iran
Live updates: Iran insists it controls Strait of Hormuz as it launches new strikes
Iran insisted on Monday that it controlled the Strait of Hormuz — an assertion the United States has denied — as it launched a fresh barrage of strikes aimed at American military assets throughout the Middle East. The new attacks, following dozens more American strikes overnight, extended a cycle of attacks that is unraveling the U.S.-Iran cease-fire. Shipping through the strait plummeted over the weekend after Iran attacked a Cypriot-flagged container ship on Saturday, setting off an exchange of hostilities that spilled into Monday. Just 14 ships passed through the waterway on Sunday, the lowest level in a month, according to Kpler, a maritime data firm. (NYTIMES.COM)
Survivors of Iranian attack that killed 6 U.S. troops say generals ignored warnings
Seconds after an Iranian drone struck his unit’s operations center in Kuwait, anArmy general responsible forthe troops inside got up from the floor, grabbed his protective vest and helmet, and shouted an order to a soldier beside him: “Get out!” It was March 1, barely a day into the U.S. war against Iran. Thedrone hit in the center of the building at Port Shuaiba, its concussive blast hurling troops into walls and igniting a deadly fire, survivors of the strike told The Washington Post. Brig. Gen. Clint Barnes ran for the emergency exit and to a nearby protective bunker, even as dozens of men and women under his command remained behind, said the soldier ordered to flee with him. (WASHINGTONPOST.COM)
Iranian bot campaign targets Nova festival massacre survivors with severe online abuse, propaganda
Survivors of the October 7 Supernova music festival massacre are facing a wave of online abuse from bots, which are suspected to be part of a coordinated campaign by Iran, according to a report by Fighting Online Antisemitism (FOA). The report found that social media platforms are failing to act against the bot-posted content, described by the FOA as a “sustained and multi-layered digital campaign” that hurls abusive comments and shares videos about the survivors. These posts often call for the survivors’ deaths and question the validity of their experiences on October 7 and its aftermath in an attempt to create false narratives and justify the events of that day, building on conspiracy theories surrounding the massacre. (JPOST.COM)
Russia
France set to summon Russian ambassador to Paris over alleged cyberattack campaign
France will summon the Russian ambassador to Paris in the coming days over an alleged cyberhacking campaign that Russia has carried out against European countries including France, French Foreign Minister Jean-Noel Barrot said on Monday. He added France would also place sanctions on some Russian individuals and entities. “Today, we will publicly condemn a widespread cyber campaign conducted by Russia that aimed to carry out sabotage and spying conducted against a dozen countries,” Barrot told BFM TV. (REUTERS VIA UK.NEWS.YAHOO.COM)
The geography of coercion: Russian missile and drone campaigns in Ukraine
Russia’s missile and drone campaign in Ukraine is a coercive strategy built around geography. CSIS Futures Lab analysis of oblast-level damage reports from 2023 through early 2026 shows that reported damage in Ukraine has increased sharply, becoming concentrated in frontline and southern regions as well as areas with industrial, energy, and port infrastructure and major urban centers. This pattern suggests that Moscow is using long-range firepower to disrupt logistics, strain critical infrastructure, pressure civilians, and impose cumulative costs on Ukraine’s ability to fight, repair, govern, and negotiate. The campaign has been shaped by the strategic value of targets, the rapid growth of Shahed-type drone launches, winter attacks against energy infrastructure, and the expansion of a drone-dense kill zone near the front. Modern coercion turns infrastructure, distance, and civilian vulnerability into political leverage. (CSIS.ORG)
The continued myth of Russia’s imminent collapse: Lessons from Prigozhin’s mutiny three years on
OPINION: Three years ago, in June 2023, the Kremlin confronted one of the most dramatic internal crises of Vladimir Putin’s quarter-century in power. Yevgeny Prigozhin, the former convict turned oligarch, Wagner founder, and longtime Kremlin insider known as Putin’s “chef,” launched an armed mutiny that stunned Russia and captivated the world. Wagner fighters seized the headquarters of Russia’s Southern Military District in Rostov before beginning an astonishing march toward Moscow, encountering remarkably little organized resistance along the way. (THECIPHERBRIEF.COM)

GOVERNMENT AND INDUSTRY
Artificial intelligence
Energy IT shop not interested in Grok, Perplexity as its AI portfolio expands
While the Department of Energy is working to expand AI model options for employees using its Joulix suite of tools, it isn’t looking to just add for the sake of more, per the agency’s top technology official. “I could have an agreement with every vendor, every frontier model out there,” Dawn Zimmer, CIO at the Energy Department, said in an interview with FedScoop. “But which ones do people really want? Nobody’s going to use all of them.” Some vendors aren’t making the cut. (FEDSCOOP.COM)
VA disability benefits: Opportunities and challenges to modernizing technology and adopting AI
AI holds substantial promise for improving government operations, and VA is exploring multiple uses of AI for disability benefits, such as claims processing. However, GAO has reported that generative AI can increase risk and hinder accountability, in part because even its designers may not fully understand how it works. It can also require significant computational and technical resources. VA is exploring using AI to further automate the processing of disability claims, a use case that could benefit veterans. But this use could present a challenge in detecting errors or misuse, owing to AI’s lack of transparency. GAO has a framework to help ensure accountability and responsible use of AI. VA and other agencies could use this framework as they consider, select, and implement AI systems. (GAO.GOV)
The careless birth of an AI umbrella
OPINION: Granting access to frontier AI is poised to become one of the most potent sources of American power since the dawn of extended nuclear deterrence. The United States now holds a currency that every government on the planet wants—one that China is struggling to mint, and which appreciates with each passing month. So far, Washington has spent the first half of 2026 dispensing that currency through improvisation and revoking it by tantrum. A better investment is possible. It requires moving from a posture of denial to one of guarantees. (AEI.ORG)
Data centers
Irish data centers now guzzle 23% of the country’s electricity
Electricity used by datacenters in Ireland increased by 10 percent during 2025, despite an effective moratorium on most new datacenter grid connections in the Dublin area. The latest figures from Ireland’s Central Statistics Office (CSO) show that giant server farms now account for nearly a quarter of the country’s metered electricity consumption. Their share rose to 23 percent in 2025 after passing 20 percent in 2023 and 14 percent in 2021 – up from just 5 percent way back in 2015. (THEREGISTER.COM)
Defense
Air Force pushing contractors to purge Anthropic by Sept. 1: Memo
The Air Force Research Laboratory is pushing its contractors to purge all Anthropic products from their systems by Sept. 1, almost a month ahead of a Defense Department-wide deadline, according to memos obtained by Breaking Defense. The AFRL memo, sent to industry July 9, says it is issued to “formally notify” contractors of the Department-wide requirement for “the removal of all products and services provided by Anthropic.” AFRL asks its contractors to find all use of Anthropic anywhere in their systems report back by Aug. 1, then remove them completely by Sept. 1. That target date is almost a month ahead of a Sept. 29 Department of Defense-wide deadline, but the memo says such a buffer is necessary “to allow for administrative processing time and to ensure the DoW [Department of War] deadline is met” and “to ensure a smooth transition and facilitate any necessary modifications to your contract.” (BREAKINGDEFENSE.COM)
DoD class deviation leaves contractors with more questions than answers
The Defense Department’s recently released class deviation leaves defense contractors with many of the same questions they previously had about how they should comply with a series of restrictions aimed at severing ties with companies the Pentagon says support Beijing’s military. In fact, it adds even more ambiguity. Several China-related contracting restrictions enacted by Congress took effect on June 30, including banning the Defense Department from contracting with companies that retain consultants lobbying on behalf of companies designated by the Pentagon as Chinese military companies under its Section 1260H list, as well as prohibiting DoD from entering into, renewing or extending a contract for the procurement of goods, services or technology with those blacklisted firms. (FEDERALNEWSNETWORK.COM)
What the Pentagon’s new post-quantum cryptography directive means for defense contractors
The Defense Department’s new Post-Quantum Cryptography (PQC) Strategy calls for new Cybersecurity Maturity Model Certification (CMMC) requirements that leverage quantum-resistant algorithms. And while experts say it’s likely to be some time before updates are finalized, they stress that the defense industrial base is likely unprepared. The Pentagon’s new 25-page strategy published in June largely focuses on defending its own systems against quantum threats by initiating a PQC migration, but the document also urges the defense industrial base to move with the department. Among the multiple deadlines and milestones outlined in the plan, the DOD notes that it will update CMMC with requirements based on PQC. (DEFENSESCOOP.COM)
Marines eye cloudless networks to keep AI tools running when the cloud goes down
The cloud connectivity that makes big AI models work is also the reason they won’t work in war. As the Marine Corps explores ways to bring AI tools to the battlefield, it is looking at one software company’s proposal to keep troops computing when broader access gets cut off. Ditto will announce Monday that the Marines’ Project Dynamis will evaluate their technology for turning radios, cell phones, even drones, into a local network that can keep data flowing and AI tools running locally when cloud access disappears. “Ditto’s position is that we do not leverage a server-client model,” Eric Hanft, Ditto’s senior vice president for public sector and a former Army infantry officer, said in an interview. “If you continue to architect your data flows around that, you never remove this fundamental dependency that, if two edge nodes need to communicate and have to go to and from a server — and that server is not available — there’s no communication.” (DEFENSEONE.COM)
Drones
DARPA gearing up for heavy-lift drone competition
The Defense Advanced Research Projects Agency has tapped more than 120 organizations to compete for millions of dollars in prize money at a drone competition slated for early next month. The employment of attack drones and intelligence, surveillance and reconnaissance (ISR) drones on overseas battlefields in places like Ukraine and the Middle East have garnered many headlines, but the U.S. military is also keen on unmanned aerial systems that can support logistics and keep service members out of harm’s way. DARPA’s Lift Challenge is aimed at drastically improving the payload-to-weight ratios for vertical-lift unmanned aerial systems that could carry cargo for troops as well as the commercial sector. (DEFENSESCOOP.COM)
New drone czar’s success hinges on personalities, Pentagon politics: Experts
A week-and-a-half after Secretary of Defense Pete Hegseth ordered a sweeping centralization of most service-run drone programs under one manager, no one’s yet been named to fill that powerful role. There aren’t even widespread rumors about who is under consideration for the Direct Reporting Portfolio Manager job, colloquially being called the “drone czar.” But in a town where personalities often trump policy, experts told Breaking Defense that who runs the new office — and how well they manage the inevitable intramural frictions — matters more than what’s written in the formal memorandum [PDF] establishing the office. “A memo by itself never solves anything, but in this case I’m willing to give the benefit of the doubt to the secretary,” said Jack Shanahan, a retired Air Force three-star who led similarly centralized high-tech efforts as head of Project Maven and the Joint AI Center. “I put this in the category of ‘better to be bold and move out right now, than to wait for a perfect solution in a year or two.’” (BREAKINGDEFENSE.COM)
IT modernization
Economic uncertainty is forcing cities to rethink technology investments, AI and resilience
As federal pandemic relief and infrastructure funding winds down, cities across the U.S. are increasingly looking to new technologies, like artificial intelligence, to help stretch limited budgets and support economic development, according to a report published Friday. The National League of Cities, an advocacy group, identifies in its annual State of the Cities report that economic development is top priority for mayors in 2026, followed by infrastructure, public health and safety, housing and budget management. But unlike in previous years, technology is less a standalone priority than an enabler across nearly every policy area, the report’s authors found, from workforce development and AI adoption to cybersecurity and resilient infrastructure. (STATESCOOP.COM)
Nuclear
America’s first nuclear plant restart may be near the finish line
Up until recently, the U.S. was in a yearslong dry spell in the construction of new nuclear power plants. The hiatus finally ended in April, when two next-generation nuclear developers broke ground on their debut plants. Though those facilities will take years to finish, the next reactor set to patch onto the U.S. grid could be mere months away. That’s because Holtec International, long known for its work decommissioning shuttered nuclear plants, is seeking to restart a defunct power station in Michigan — a first for the U.S. (CANARYMEDIA.COM)
LEGISLATIVE UPDATES
Lawmakers call for passage of Russia sanctions bill to honor late Sen. Graham
U.S. lawmakers from both parties have called for the swift passage of a bipartisan Russia sanctions bill following the death of Senator Lindsey Graham, describing the legislation as a fitting tribute to his longstanding support for Ukraine. Graham, a Republican from South Carolina, died on July 11 following what his office described as a “brief and sudden illness.” In a statement posted on social media, Senator Jeanne Shaheen, a Democrat from New Hampshire, said Graham had been working until his final days to advance sanctions legislation aimed at increasing pressure on Russia. “On Friday, Senators Graham, Blumenthal, Wicker and I announced White House support for our Russia sanctions legislation to help finally achieve peace for Ukraine, which Lindsey described as one of his most consequential efforts,” Shaheen wrote. (CALIBER.AZ)
COMMITTEE ACTIVITY:
NSS: The Senate Foreign Relations Subcommittee on Western Hemisphere, Transnational Crime, Civilian Security, Democracy, Human Rights, and Global Women’s Issues will hold a July 14 hearing on the National Security Strategy and the western hemisphere.
AI AND SMALL BUSINESS: The House Small Business Committee will hold a July 14 hearing on how AI is shaping the future of small business.
AI COMPETITION: The House Foreign Affairs Committee will hold a BIS budget hearing on July 14 focusing on the AI arms race and the ICTS office.
SUPPLY CHAIN: The House Foreign Affairs Committee will hold a July 15 hearing on ending supply chain dependency.
RESEARCH: The House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party will hold a July 15 hearing on protecting American innovation in the federal research security enterprise.
ELECTIONS: The House Administration Subcommittee on Elections will hold a July 15 hearing on election observation.
FRAUD: The House Oversight and Government Reform Subcommittee on Government Operations will hold a July 15 hearing on emerging fraud threats and the evolving fraud landscape.
ALERTS AND ADVISORIES
Improve router hygiene to protect against Russian state-sponsored targeting
Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks. This joint Cybersecurity Advisory (CSA) builds on FBI’s Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure Public Service Announcement of the decadeplus FSB Center 16 cyber activity by providing additional tactics, techniques, and procedures (TTPs) to enable defenders to more fully understand and counter the threat. (IC3.GOV)
CISA adds two known exploited vulnerabilities to catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation: CVE-2026-48939 iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability, CVE-2026-56291 Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise. (CISA.GOV)
Vulnerability impacting Roundcube webmail – CVE-2025-49113
While the Cyber Centre has not received any reports of exploitation, the existence of a proof of concept (POC) significantly raises the likeness of abuse by malicious actors. The existence of a published POC makes it imperative to take action to assess and mitigate this vulnerability. The Cyber Centre is aware that exploitation of CVE-2024-42009 has been used to obtain valid credentials, which could lead to exploitation of CVE-2025-49113. CISA added CVE-2024-42009 to their Known Exploited Vulnerabilities (KEV) catalog on June 9, 2025. (CYBER.GC.CA)
Events
TO BE INCLUDED IN THIS CALENDAR, SUBMIT YOUR SECURITY-FOCUSED EVENT FOR CONSIDERATION
CONNECTED CARS: Join Chris Miller, the author of Chip War and a nonresident senior fellow at AEI, alongside Senator Bernie Moreno and Chairman John Moolenaar of the Select Committee on China for a July 13 discussion on how Congress is addressing the threat posed by Chinese data collection through connected vehicles.
RESEARCH SECURITY: Congress, federal agencies, and some university leaders have taken important steps in recent years to strengthen research security and improve transparency surrounding foreign funding, talent recruitment programs, and research partnerships. However, significant vulnerabilities remain. To discuss the evolving research security landscape, please join FDD for a July 14 conversation featuring House Select Committee on China Chairman John Moolenaar (R-Mich.) and Senator Jim Banks (R-Ind.). Moderated by FDD Senior Fellow Craig Singleton, the conversation will examine the challenges posed by the Chinese Communist Party’s efforts to leverage American universities for strategic gain and potential safeguards in this year’s National Defense Authorization Act.
AXIS OF UPHEAVAL: Join CNAS on July 14 for a virtual panel discussion on this topic to mark the release of a new report, Forecasting the Future of the Axis of Upheaval: The View from Moscow, by Andrea Kendall-Taylor. This report assesses the future of the “axis of upheaval” — the deepening relationships among Russia, China, Iran, and North Korea — from Moscow’s perspective. Kendall-Taylor argues that Russia’s support is likely to remain pragmatic and calibrated. In crises, Moscow is likely to provide its partners with political backing, economic support, intelligence sharing, technology transfers, and limited military assistance—particularly in areas such as drone warfare and regime security — while avoiding direct conflict with the United States.
AI CYBER DEFENSE: Join the CSIS Economic Security and Technology Department on July 15 for a discussion on the growing role of artificial intelligence in cyber defense and what it means for the future of national security, critical infrastructure protection, and digital resilience. As cyber threats become more sophisticated and persistent, governments and industry are increasingly turning to AI-enabled tools to detect intrusions, automate threat analysis, strengthen network defense, and respond to attacks at machine speed.
AI WIRELESS: Join the American Enterprise Institute July 15 to look at how AI and telecommunications infrastructure are converging in 6G — the first AI-native generation. We will bring together leaders from the public and private sectors to share perspectives on global competition in 6G and America’s opportunity to regain its leadership in the telecommunications industry. This event will offer timely insight at the frontier of a field still taking shape.
AI AND EDUCATION: On July 16, the Center for Universal Education at Brookings will host a conversation to examine the effects of AI slop on young children’s learning, development, and well-being, as well as the incentives driving its production. As the third event in the Generation AI Starts Early webinar series, the discussion will bring together perspectives from health, media, and policy to explore what AI-generated content means for young children, caregivers, policymakers, and the broader media ecosystem.
6G: Join CSIS, senior U.S. government officials and leading global partners for a July 29 public forum examining the geopolitical and security landscape of next-generation wireless infrastructure. This event will feature the launch of the “Call to Action for 6G Leadership and Security,” a joint initiative between the United States (coordinated by the National Telecommunications and Information Administration) and partner nations designed to strengthen digital supply chains, accelerate innovation, and expand multilateral cooperation on wireless technology.
AI HEALTH CARE: The AI in Health Conference from Sept. 15 to Sept. 17 bridges the gap between artificial intelligence and real-world health outcomes — focusing not just on what AI can do, but on what it should do to improve patient care. Hosted by the Ken Kennedy Institute at Rice University, the fifth annual AI in Health Conference will explore the current landscape of artificial intelligence in health and present a research-driven outlook for the future of computational health innovation. The program is designed to connect researchers and innovators with engineers, clinicians, and entrepreneurs at the forefront of AI in healthcare and public health.
FOLLOW THE McCRARY INSTITUTE ON LINKEDIN | X | BLUESKY
SUBSCRIBE TO THE CYBER FOCUS PODCAST: YOUTUBE | SPOTIFY | APPLE PODCASTS