GPS spoofing, 16 billion passwords exposed, Operation RoundPress, and Active Cyber Defense

Notable news for the week of June 15-21, 2025. This week, your editor is Koichi from F5 Security Incident Response Team. In this edition, I have security news about GPS spoofing,  16 million passwords exposed, Operation RoundPress, and Active Cyber Defense

We at F5 SIRT invest a lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency, please contact F5 SIRT.

 

GPS spoofing is observed on a live map

Cyber attacks have intensified in the wake of the armed conflict between Israel and Iran. Israeli hackers cyber-attacked Iran's state-owned Bank Sepah and the Iran-based cryptocurrency exchange Nobitex.Meanwhile, Iran also cyber-attacked Israeli infrastructure. Although those cyber-attacks cannot be seen directly from abroad, there have been forms of cyber-attacks that can be observed via online. Aircraft and ship tracking services can observe strange movements of aircraft and ships around Iran. Aircraft and vessels receive radio signals from GNSS (i.e. GPS) satellites to determine their location/position, and they broadcast their position via the ADS-B (aircraft) and AIS (vessel) systems. 

Aircraft and vessel tracking services receive those broadcasted signals and can display the positions of aircraft and vessels on a live-map. However, due to the military conflict between Israel and Iran, radio signals from GNSS (i.e. GPS) satellites have been jammed (GPS jamming), making it impossible to display the positions of aircraft and ships. The position information has been changed (GPS spoofing), this causes the positions of ships and aircraft on maps to be shown in locations where they should not be. Around the time of this collision, GPS spoofing, probably of Iranian origin, was observed in the Persian Gulf. As a result, it has been observed that the vessel's position is circular.

Source: Phantom Tankers: GPS Interference Roils Gulf Shipping

 

16 billion login credentials are exposed

Cybernews Researchers announced on June 18th that more than 16 billion login credentials had been compromised this year. This is believed to be one of the largest data breaches ever. Ongoing investigations by researchers since earlier this year have suggested that the massive breach was the work of multiple Infostealer (information-stealing) malware.

The leaked data also includes credentials for Apple, Facebook, Google, GitHub, Telegram and government services in various countries, which risks enabling access to almost every major online service. According to the researchers, large sets of exposed data are being discovered every few weeks, raising strong concerns about the rapid spread of infostealers.

For mitigating this, Google suggests to change their Gmail account passwords as soon as possible, use password managers, and to use passkeys as much as possible. 

Source: 16 billion passwords exposed in record-breaking data breach, opening access to Facebook, Google, Apple, and any other service imaginable

Source: 16 Billion Apple, Facebook, Google And Other Passwords Leaked

 

Operation RoundPress

ESET Research has revealed Operation RoundPress, an advanced cyber-espionage operation by the pro-Russian Sednit group, which is known as APT28, targeting high-value targets like the government and major defense companies in Europe, Africa and South America. 
 Operation RoundPress uses variants of the SpyPress malware to attack webmail, including Roundcube and Zimbra. It sends spear-phishing emails to the target web mail servers, which disguises themselves with current news-related text, but a review of the HTML code shows that malicious JavaScript is embedded in the body. When the victim user opens a malicious email, the SpyPress JavaScript payload is reloaded and executed, which steals webmail credentials, body content and contact information from the victim’s email inbox.

Source: Surge in XSS Cyberattacks Targets Popular Webmail Platforms, ESET Reports

Source: ESET Research uncovers Operation RoundPress: Russia-aligned Sednit targets entities linked to the Ukraine war to steal confidential data

 

"Active Cyber Defense" Part 5

In former TWIS articles (like this and this), I wrote about the “Active Cyber Defense” which is going to be introduced in Japan, and there was another progress at a cabinet meeting on June 20th. 

Japanese government decided to establish the National Cyber Headquarters (NCH, or National Cyber Office) on July 1st. This will be done as a re-organization of the current National Center of Incident Readiness and Strategy for Cybersecurity (NISC), and the NCH will serve as a command post for “Active Cyber Defense” to prevent cyber attacks before they happen.

The ”Active Cyber Defense" bill would allow the Government to get agreements with operators of critical infrastructure and obtain communications information to monitor for the Cyber Attack threat. 

Source: https://www3.nhk.or.jp/news/html/20250620/k10014839811000.html (Japanese)