News Week: July 7th to July 13th, 2025

Chinese National Arrested in Italy for Links to Silk Typhoon Cyberespionage

A Chinese citizen was arrested at Milan’s Malpensa Airport earlier this month on suspicion of ties to Silk Typhoon, a state-backed hacking group also known as Hafnium. The 33-year-old suspect, Xu Zewei, was apprehended on a U.S. international warrant and is believed to be connected to cyberattacks targeting American institutions and health researchers. Italian reports suggest his involvement in espionage operations aimed at stealing COVID-19 vaccine data in 2020. More recent incidents attributed to the group include breaches at the U.S. Treasury’s Office of Foreign Assets Control and cloud-based supply chain attacks. Microsoft has warned that Silk Typhoon increasingly exploits remote management tools to infiltrate downstream networks. Xu remains in custody in Busto Arsizio as U.S. authorities seek extradition. The arrest highlights the global scale and persistence of nation-state cyber threats targeting critical sectors and sensitive data.

DragonForce Ransomware Hits M&S via Sophisticated Social Engineering

Marks & Spencer confirmed that the recent ransomware attack on its systems was the result of a targeted social engineering campaign. The breach began with a convincing impersonation of an employee, which tricked a third-party help desk—allegedly tied to Tata Consultancy Services—into resetting a password. This opened the door for the DragonForce ransomware group to infiltrate M&S’s infrastructure. Believed to be linked to Scattered Spider, the attackers deployed a double-extortion scheme: encrypting data while simultaneously exfiltrating approximately 150GB of sensitive files. DragonForce, distinct from the hacktivist group DragonForce Malaysia, is thought to be operating from Russia or Asia. Despite the lack of public leaks on DragonForce’s extortion site, the absence of any published data has sparked speculation that M&S may have quietly paid a ransom. M&S refrained from confirming this, citing security concerns, but confirmed full cooperation with the National Crime Agency and other authorities during the investigation.

Ingram Micro Begins Recovery After SafePay Ransomware Disruption

Global IT distributor Ingram Micro is in the process of restoring key business operations following a major ransomware attack carried out by the SafePay group. The cyberattack, which hit just before the July 4th holiday, caused a global outage that took down websites and disrupted order processing systems. In response, Ingram Micro implemented a company-wide password and multi-factor authentication reset and began restoring VPN access and critical internal platforms. By early this week, the company resumed order intake via phone and email in major regions including the US, UK, Germany, and several others. Although SafePay has not yet publicly claimed the attack, the group is known for data theft and double-extortion tactics, raising concerns about potential leaks if a ransom is not paid. As of now, Ingram Micro has not confirmed whether sensitive data was stolen, but recovery efforts continue as employees slowly return to normal operations.

Qantas Data Breach Affects 5.7 Million Amid Scattered Spider Campaign

Qantas has confirmed a massive data breach affecting 5.7 million customers, following a cyberattack linked to the threat group Scattered Spider. The breach stemmed from a compromise of a third-party contact center platform, with attackers exfiltrating personal information ranging from names and email addresses to addresses, birthdates, and phone numbers. While Qantas emphasizes that no financial data, passwords, or passport information was accessed, the volume of exposed customer details remains significant. The airline is now contacting affected individuals directly and has ramped up cybersecurity measures in response. Scattered Spider—known for its aggressive social engineering tactics and ransomware deployments—has been increasingly targeting aviation and retail sectors. In Qantas’s case, the attackers have reportedly begun extortion attempts. This breach adds to a growing list of high-profile incidents attributed to the group, including recent attacks on WestJet, Hawaiian Airlines, and companies like M&S, where DragonForce ransomware was also deployed.

Russian Basketball Player Arrested Over Ties to Ransomware Gangs

Russian pro basketball player Daniil Kasatkin was arrested in France under a U.S. warrant for allegedly serving as a negotiator for a major ransomware gang. Kasatkin, who formerly played for Penn State and later in Moscow’s MBA league, was detained upon arrival at Charles de Gaulle airport. U.S. authorities accuse him of conspiring in cyberattacks that targeted over 900 organizations, including federal agencies, between 2020 and 2022. Although the gang was not officially named, the scope of the attacks aligns with the Conti ransomware group, a successor to Ryuk known for high-profile breaches and extortion. Conti disbanded in 2022, but its members remain under investigation globally. This arrest adds to recent enforcement actions against ransomware gangs, including operators of BreachForums and affiliates linked to IntelBroker and ShinyHunters. The incident highlights how ransomware networks continue to rely on a broad support infrastructure—from developers to negotiators—to execute their double-extortion schemes.

Gravity Forms Plugin Hacked, Enabling Remote Code Execution via Backdoor

The developer of Gravity Forms, a widely used WordPress plugin, has confirmed a supply-chain attack that injected a backdoor into manually downloaded plugin versions. The breach allows unauthenticated remote code execution on affected servers, granting attackers full control. Security firm Patchstack discovered that compromised plugin files sent site metadata to a malicious domain and received base64-encoded PHP malware in return. This payload, disguised as core WordPress functionality, enabled execution of arbitrary code without authentication through functions like handle_posts() and init_content_management(). The malware also created unauthorized admin accounts and blocked plugin updates. Only manual downloads and composer installs of versions 2.9.11.1 and 2.9.12, retrieved between July 10 and 11, were affected. The Gravity API used for automatic updates remained untouched. WordPress admins are urged to reinstall clean versions immediately and scan their sites for signs of remote code execution and unauthorized access.

Conclusion

The breach of the Gravity Forms plugin highlights the growing risks posed by supply-chain attacks and the devastating impact of remote code execution vulnerabilities. Admins must remain vigilant, especially when installing plugins manually, as even trusted sources can be compromised. Implementing strict security protocols and regular code reviews is essential to minimizing the risk of infection.

As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services and Ransomware Negotiation Services. Our team also provides ongoing training through our Cyber Defense Academy, as well as comprehensive Cybersecurity Risk Assessment and dedicated support via our Incident Response Retainer.