1010.cx

  • Akira Ransomware Targets Over 250 Organizations, Extracts $42 Million in Ransom Payments – New CISA Report

    ·

    , ,

    A new advisory from the Cybersecurity and Infrastructure Security Agency reveals that Akira ransomware has become one of the most active threats targeting businesses worldwide.

    Since March 2023, this ransomware group has impacted more than 250 organizations across North America, Europe, and Australia, amassing approximately $244.17 million in ransom proceeds as of late September 2025.

    The threat actors behind Akira have connections to the defunct Conti ransomware group. Akira ransomware primarily targets small and medium-sized businesses across multiple sectors.

    The group shows a strong preference for manufacturing, educational institutions, information technology, healthcare, and financial services sectors.

    The threat actors gain initial access through virtual private network services without multi-factor authentication configured, exploiting known vulnerabilities in Cisco products.

    CISA security analysts identified that Akira threat actors have continuously evolved their attack methods throughout 2024 and 2025.

    The ransomware initially appeared as a Windows-specific C++ variant that encrypted files with the .akira extension.

    By April 2023, the group deployed a Linux variant targeting VMware ESXi virtual machines. In August 2023, they introduced the Megazord encryptor, a Rust-based tool that appends a .powerranges extension to encrypted files.

    In June 2025, Akira threat actors successfully encrypted Nutanix AHV virtual machine disk files by exploiting CVE-2024-40766, a SonicWall vulnerability.

    The ransomware employs a sophisticated hybrid encryption scheme that combines a ChaCha20 stream cipher with an RSA public-key cryptosystem for fast, secure key exchange.

    Double Extortion and Persistence Tactics

    Akira operates using a double-extortion model that combines data encryption with threats to leak sensitive information.

    After gaining initial access, the threat actors establish persistence by creating new domain accounts and using credential-scraping tools such as Mimikatz and LaZagne to harvest passwords.

    They leverage legitimate remote access tools such as AnyDesk and LogMeIn to maintain access while blending in with regular administrator activity.

    For data exfiltration, the group uses tools such as FileZilla, WinSCP, and RClone to transfer stolen data to cloud storage services before encrypting it.

    To inhibit system recovery, the Akira encryptor uses PowerShell commands to delete Volume Shadow Copy Service copies on Windows systems.

    The ransom note appears as fn.txt or akira_readme.txt and provides victims with instructions to contact the threat actors through a .onion URL accessible via the Tor network, with payments demanded in Bitcoin.

    Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

    The post Akira Ransomware Targets Over 250 Organizations, Extracts $42 Million in Ransom Payments – New CISA Report appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Lumma Stealer Uses Browser Fingerprinting to Collect Data and for Stealthy C&C Server Communications

    ·

    , ,

    Lumma Stealer has emerged as a serious threat in the cybercrime world, targeting users through fake software updates and cracked applications.

    This information-stealing malware targets the collection on login details, payment card information, and cryptocurrency wallet data from infected systems.

    The malware spreads primarily through phishing emails, malicious advertisements, and compromised websites that trick users into downloading what appears to be legitimate software.

    What makes Lumma Stealer particularly dangerous is its ability to steal data from multiple web browsers, including Chrome, Firefox, Edge, and Brave.

    The malware targets saved passwords, autofill information, browsing history, and cookies that contain session tokens.

    Once it gains access to a system, it quickly scans for cryptocurrency wallet extensions and email clients to maximize the value of stolen information.

    Trend Micro security researchers identified that the malware uses browser fingerprinting to collect detailed device information and establish covert communication channels with its command-and-control servers.

    The collected data is packaged and sent to remote servers controlled by attackers, who then sell this information on dark web markets or use it directly for financial fraud.

    Victims often remain unaware of the infection until they notice unauthorized transactions or account compromises.

    The malware operates silently in the background, making detection challenging for average users who lack advanced security tools.

    New Lumma Stealer browser fingerprinting behavior (Source - Trend Micro)
    New Lumma Stealer browser fingerprinting behavior (Source – Trend Micro)

    Organizations and individuals face significant risks from Lumma Stealer infections, including identity theft, financial losses, and compromised business accounts.

    The malware continues to evolve with new variants appearing regularly, making it a persistent threat in the current security environment.

    Browser Fingerprinting Technique

    Lumma Stealer employs browser fingerprinting as both a data collection method and a communication security measure.

    The malware gathers specific browser attributes such as screen resolution, installed fonts, time zone settings, and language preferences to create a unique device profile.

    This fingerprint helps attackers track infected machines and ensures that communication with command-and-control servers appears as regular web traffic.

    The fingerprinting process also allows Lumma Stealer to identify the most valuable targets by analyzing installed browser extensions and stored credentials.

    The malware checks for security software and virtual machine indicators to avoid detection in analysis environments, increasing its survival rate on real user systems.

    Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

    The post Lumma Stealer Uses Browser Fingerprinting to Collect Data and for Stealthy C&C Server Communications appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Critical FortiWeb WAF Flaw Exploited in the Wild, Enabling Full Admin Takeover

    ·

    , ,

    Fortinet has issued an urgent advisory warning of a critical vulnerability in its FortiWeb web application firewall (WAF) product, which attackers are actively exploiting in the wild.

    Identified as CVE-2025-64446, the flaw stems from improper access control in the GUI component, allowing unauthenticated threat actors to execute administrative commands and potentially seize complete control of affected systems.

    The vulnerability, classified as a relative path traversal issue (CWE-23), enables attackers to craft malicious HTTP or HTTPS requests that bypass authentication.

    This could lead to the creation of unauthorized administrator accounts, granting full access to the device’s configuration and sensitive data. Fortinet’s Product Security Incident Response Team (PSIRT) confirmed active exploitation and urged immediate patching to mitigate risks.

    With a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the flaw earns a “Critical” severity rating per National Vulnerability Database (NVD) standards. It affects multiple FortiWeb versions across branches 8.0, 7.6, 7.4, 7.2, and 7.0. Specifically:

    • FortiWeb 8.0.0 through 8.0.1
    • FortiWeb 7.6.0 through 7.6.4
    • FortiWeb 7.4.0 through 7.4.9
    • FortiWeb 7.2.0 through 7.2.11
    • FortiWeb 7.0.0 through 7.0.11

    Users should upgrade to the latest patched versions: 8.0.2 or above, 7.6.5 or above, 7.4.10 or above, 7.2.12 or above, or 7.0.12 or above, respectively. Detailed CVRF and CSAF files are available on FortiGuard for automated integration.

    As a temporary workaround, Fortinet recommends disabling HTTP or HTTPS access on internet-facing interfaces, aligning with best practices that limit management access to internal networks only. This reduces exposure significantly but doesn’t eliminate the threat entirely.

    Post-upgrade, organizations must audit configurations and logs for signs of compromise, such as unexpected admin account additions or modifications. Fortinet emphasized reviewing access patterns to detect any lingering unauthorized activity.

    This incident highlights the persistent risks to network security appliances, which are prime targets for attackers seeking to pivot into broader environments.

    As WAFs like FortiWeb protect web applications from threats, they can also introduce ironic backdoors through their own vulnerabilities. Security experts advise prioritizing patches for critical infrastructure, especially given the flaw’s ease of exploitation, as no privileges or user interaction are required.

    Fortinet’s advisory, published today, underscores the company’s commitment to rapid disclosure. For more details, visit the FortiGuard PSIRT page. As exploitation continues, unpatched systems remain highly vulnerable.

    Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

    The post Critical FortiWeb WAF Flaw Exploited in the Wild, Enabling Full Admin Takeover appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Army scraps PEOs in bid to streamline procurement, requirements processes

    ·

    The Army is taking another swing at slashing its sometimes decades-long procurement cycle by gathering up the many offices that weigh in on requirements and stacking them under a new program office structure.

    The six Portfolio Acquisition Executives will compress the previous 12 Program Executive Offices, with the new Transformation and Training Command in the overseeing uniformed position, and the assistant secretary for acquisition, logistics and technology as the civilian boss.

    “So we had, arguably, an alphabet soup of requirements folks across both [Army Futures Command] and [Training and Doctrine Command],” Gen. David Hodne, who leads the newly merged Transformation and Training Command, told reporters Wednesday. “So generally, you had…I'll just say over 40 agencies that could either vote on or veto requirements.”

    Now, they’ll all report to the PAE, which will make one determination that goes up to the four-star level. The Army unveiled the move Wednesday to Breaking Defense, just a few days after Defense Secretary Pete Hegseth issued orders to revamp the PEO system amid a larger reform of the defense acquisition process. 

    Each PAE will own one of the six “capability areas”: Fires; Maneuver Ground; Maneuver Air; Command and Control and Counter Command and Control; Agile Sustainment and Ammo; and Layered Protection and Chemical, Biology, Radiological and Nuclear Defense. 

    “Under the current fragmented process, accountability is distributed across multiple organizations and functions, creating misalignment between critical stakeholders,” Brent Ingraham, the civilian oversight official for the PAEs, said in a release. “Aligning this reform with operational concepts better postures the Army to deliver capabilities our [soldiers need] without delay.” 

    Now the old PEO structures and Centers of Excellence will be nested under the PAE, rather than being their own co-equal organizations. On the Maneuver Ground team, Hodne said, you’ll have the Maneuver CoE commander as the director, with the former PEO Soldier director as his deputy, as an example. 

    ‘Conned the American people’

    The PEO revamp is a concrete change, but the service is hoping it’s part of a bigger overall shift. Hegseth’s acquisitions changes do away with a requirements process notorious for taking so long and being so rigid in its output that by the time a program was ready to be fielded, it was a mere irrelevant shell of its initial concept. 

    The Army is also hoping that a new approach to requirements will allow acquisitions teams to go with the best commercially available options for some systems in the short term, while continuously looking for better solutions. That philosophy is in stark contrast to the way the Army has done business for the last half-century or so, working with one or two vendors to compete to build a new, customized system from the ground up. 

    “It used to be 90 percent of things we bought were purpose-built for the military or the Army, and 10 percent were off the shelf,” Army Secretary Dan Driscoll said Wednesday. “This is what I would say is, that the defense industrial base broadly, and the primes in particular, conned the American people in the Pentagon and the Army into thinking that it needed military-specific solutions, when in reality, a lot of these commercial solutions are equal to or better. And we've actually harmed ourselves with that mentality.”

    Driscoll said he would like to see those ratios flip. 

    “Because when you actually start to think about what large-scale conflict looks like, you cannot scale one-off solutions as quickly and easily as you can scale commercially available things,” he said. “And we are, in every decision, thinking when we buy this thing, we go to conflict, how many of them can we get, and how long will it take to hit peak scale?”

    Pressed on his characterization of prime contractors as con artists, Driscoll conceded that the Army has often been the one driving the requirement for bespoke equipment.

    “I think their incentive structure has been to make things seem harder, to build more exquisite and more expensive,” he said. “I regularly, when I meet with them, highlight how bad of a customer we have been and the characteristics that they have today, we created and incentivized over a long period of time, and I appreciate that it's so difficult to build against our demand signal, and it requires such balance sheet to outlast all of our insane processes, that I can appreciate that from their perspective, by the time we actually start to buy a thing, they have to lock in some number of those to make back their expenses that we laid onto them.”

    Now, the Army will be doing more dynamic decision-making about how much a system fulfills a requirement, how quickly they can field it and how much it will cost, the Army chief of staff said Wednesday.

    “So if you have a requirement, and somebody says it needs to weigh a certain amount, and it has to go 100 miles an hour, and then somebody comes back to you and says, ‘Hey, it can go 90 miles an hour and weigh just a little bit differently, but you can get it for half the cost in half the amount of time — I mean, that's what we're after,” Gen. Randy George said.

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Beware of Phishing Emails as Spam Filter Alerts Steal Your Email Logins in a Blink

    ·

    , ,

    Cybercriminals have launched a new phishing campaign that tricks users by impersonating legitimate spam-filter notifications from their own company.

    These fake emails claim that your organization recently upgraded its Secure Message system and that some pending messages failed to reach your inbox.

    The message urges you to click the “Move to Inbox” button to retrieve the supposedly held emails. What appears to be a helpful system notification is actually a dangerous trap designed to steal your email login details.

    The phishing email looks surprisingly convincing, displaying generic message titles and delivery reports that seem routine and harmless.

    It even includes an unsubscribe link to make it appear more legitimate. However, both the main button and the unsubscribe link redirect victims through a compromised cbssports[.]com redirect before landing on the actual phishing site hosted on mdbgo[.]io.

    Email Delivery Reports (Source - Malwarebytes)
    Email Delivery Reports (Source – Malwarebytes)

    The attackers encode your email address as a base64 string in the URL, allowing the fake login page to display your domain automatically, making the scam look even more personalized and trustworthy.

    Following initial warnings from Unit42 researchers about this campaign, Malwarebytes security analysts identified that the attack has become more advanced and continues to change rapidly.

    The fake login page is not just a simple credential harvester but uses heavily obfuscated code to hide its true purpose.

    Websocket-Based Credential Harvesting

    The technical setup behind this phishing attack sets it apart from traditional methods. Instead of simply collecting your username and password after you click submit, this campaign uses websocket technology to steal your information instantly.

    A websocket creates a continuous connection between your browser and the attacker’s server, similar to keeping a phone line open without hanging up.

    This allows data to flow in both directions immediately, without refreshing the page.

    When you type your email and password into the fake login form, attackers receive your credentials in real time as you enter each character.

    This gives them the ability to access your email account, cloud storage, and other connected services within seconds.

    The websocket connection also lets attackers send you additional prompts asking for two-factor authentication codes, making it possible to bypass even accounts protected with extra security layers.

    Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

    The post Beware of Phishing Emails as Spam Filter Alerts Steal Your Email Logins in a Blink appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Shutdown deal adds $850M for B-21, Sentinel construction projects

    ·

    As lawmakers negotiated an end to the longest government shutdown in U.S. history, they added hundreds of millions of dollars for projects related to the B-21 bomber and Sentinel ICBM programs.

    The three-bill funding package signed into law on Wednesday night gives the Air Force $3.9 billion for military construction projects, some $204 million above the service’s 2026 budget request. And it includes more than $850 million for flexible spending beyond the continuing resolution for at least 11 projects related to the B-21 and Sentinel.

    The  allocations for military construction show continued bipartisan support for the Air Force’s nuclear modernization efforts, which have seen massive cost overruns on the Sentinel effort and shutdown-stalled talks about accelerating B-21 production.Air Force and Northrop Grumman spokespeople did not respond to questions by press time.

    House Appropriations Chairman Rep. Tom Cole, R-Okla., and Rep. John Carter, R-Texas, said in a joint statement on Tuesday that the bill will “support the infrastructure of bases across the globe.”

    The B-21 projects include a simulator, alert facility, and outdoor shelters for the bomber at Ellsworth AFB, South Dakota; a weapons release storage system and a radio-frequency hangar at Whiteman AFB, Missouri; a mission-planning facility and site improvements at Dyess AFB, Texas; and a four-dock depot maintenance hangar to house Raiders and B-52s at Tinker Air Force Base, Oklahoma.

    [[Related Posts]]

    Ellsworth will be the first B-21 main operating base and location of the Formal Training Unit, while Whiteman and Dyess Air Force Base have been identified as the preferred locations for the bomber’s subsequent main operating bases. The Air Force is planning to buy 100 B-21s by the mid-2030s.

    The B-21-related funding marked a historic investment for Dyess, said Rep. Jodey Arrington, a Texas Republican and the House budget chairman.

    “Last night, we successfully passed into law $90.8 million for B-21-related construction projects at Dyess Air Force Base—the largest investment in Dyess history, more than triple last year’s historic $30 million allocation,” Arrington said in a Thursday news release. “These funds will directly support the B-21's arrival and ensure Dyess remains the tip of the spear for America’s air arsenal.”

    Another $130 million will fund work on a Sentinel-related utility corridor at F.E. Warren Air Force Base, part of the effort to replace 7,500 miles of copper wire with newer fiber-optic cables for the missile system.

    The appropriations bill also directs the Air Force to look at hardened shelters to better protect aircraft and troops from harsh weather and enemy attack. 

    “The Committees recognize the importance of shelters that protect aircraft from foreign threats and extreme weather but are concerned about the suitability of open sided shelters for platforms operating out of installations that are at higher risk of aerial attacks and severe weather events,” a joint explanatory statement in the bill said. 

    Lawmakers asked the service to provide a briefing within 90 days about the costs and feasibility of building hardened structures to protect "strategically valuable” assets or ones that “contain fuel or munitions of which ignition could yield catastrophic” explosions. 

    The U.S. probe into the feasibility of building hardened aircraft shelters follows Operation Spider Web, the devastating coordinated drone attack on Russia’s strategic bombers this summer. Former defense officials have called the attack a wake-up call about the potential targeting of U.S. aircraft deployed abroad.

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

    ·

    The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using JSON storage services to stage malicious payloads. “The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects, with the lure,” NVISO researchers Bart Parys, Stef

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • One-stop shopping for counter-drone gear is aim of joint task force

    ·

    An Army-led task force is building an online marketplace where commanders of military installations, officials of agencies such as the FBI and Homeland Security Department, and more can purchase tested and vetted components to build systems for countering small-unmanned aerial systems.

    Industry offers hundreds of sensors, weapons and other pieces of counter-UAS gear, but there’s no central ordering hub, Brig. Gen. Matt Ross, who commands Joint Interagency Task Force 401, told reporters Friday, so the marketplace will allow agencies to streamline purchasing and build systems that make the most sense for their missions. 

    “We're trying to make sure that across the department, we have an integrated system that allows [vendors] to introduce their capability, so that we can test and evaluate it and provide them feedback, and then get them focused on the most recent or current problems for the department,” Ross said. 

    A launch date for the marketplace is still to be determined, but the task force is planning a counter-UAS summit for later this month, bringing together subject-matter experts to discuss the policy, science and technology, operations, and intelligence collection of a national counter-UAS effort. 

    In addition to the marketplace, the two-month-old JIATF 401 will be testing new components and creating policy and guidelines for selecting and deploying systems domestically, including at military installations and along the southern border

    The Defense Department has been primarily focused on defending troops abroad, where small drone attacks have  sometimes been an everyday occurence. But the systems that work well at remote bases in Iraq and Syria, where troops are prepared to quickly don protection and take cover during an attack, don’t translate stateside. 

    “Today, if we were to field a counter-UAS solution around some critical infrastructure in the U.S., we would likely not include an explosive warhead,” Ross said. 

    An electronic jammer would be more appropriate. Or, he added, if it’s appropriate to fire an actual round at the drone, it should be something that doesn’t explode, so the damage is limited. 

    The task force is also taking a look at different kinds of UAS threats. The U.S. has “robust capability” for shooting down Group 3 UAS, Ross said, larger drones with medium ranges that might drop missiles or gather intelligence.

    But the threat from smaller drones—Groups 1 and 2, under 20 pounds and between 21 and 55 pounds — is more consistent stateside, so the department wants to put more time into creating strategy to counter them, he said. 

    The task force doesn’t yet have a budget, but Ross said he expects it to draw funds from a mix of operations and maintenance; research, development, test and evaluation; and procurement pools. 

    “I only have one measure of effectiveness, and that's delivering state-of-the-art counter-UAS capability to the war fighter, both at home and abroad,” he said. “And so as we look at those different colors of money, especially in the near-term, I think procurement is going to be really important for us.”

    But JIATF 401 will also have a hand in testing and evaluating systems before they’re added to the marketplace, alongside the regular counter-UAS exercises that the services may be doing.

    “If a vendor comes and performs this month in November 2025, and a similar capability is evaluated in March of ’26 at a different exercise or demonstration, we should be able to do a relative comparison between those two evaluations,” Ross said. “Today, we can't do that because we do not always measure the same performance attributes, and so we are taking that on across the department to make sure that we've got a more synchronized model.”

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Malicious npm Package with 206k Downloads Attacking GitHub-Owned Repositories to Exfiltrate Tokens

    ·

    , ,

    On November 7th, security researchers discovered a dangerous malicious npm package called “@acitons/artifact” that had already been downloaded more than 206,000 times.

    The package was designed to look like the legitimate “@actions/artifact” package used by developers building tools with GitHub Actions.

    This was a classic typosquatting attack where the attackers swapped the letters to make the name appear correct at first glance.

    The malware’s goal was clear and focused. When this package was installed during a build process in GitHub-owned repositories, it would steal authentication tokens available in the build environment.

    With these tokens, attackers could then publish new malicious code directly from GitHub’s own account, creating a serious threat to the entire platform’s security.

    The attack worked through a hidden installation script embedded in the package. Specifically, six versions of the malicious package included a post-install hook that automatically downloaded and ran hidden malware code.

    Veracode security analysts identified that this malware was not detected by common antivirus software when first discovered, making it especially dangerous to organizations relying on those protection tools.

    This campaign highlights a critical vulnerability in the software supply chain, which is why it ranked as the third most important security concern in the OWASP Top 10 2025 list.

    The attack targeted GitHub’s continuous integration and continuous deployment platform, showing how criminals are increasingly focusing on the tools that developers trust every day.

    Veracode security researchers noted that the malware used clever techniques to hide its true behavior and avoid automatic detection.

    Malicious code

    The malicious code was obfuscated and compiled using special tools that convert shell scripts into binary files, making it harder to analyze.

    The package contained a specific mechanism to stop working after a certain date, with each version set to expire within days of release.

    This time-based trigger suggests the attackers were testing different versions of their code while staying hidden from security systems.

    The infection mechanism worked in stages. When installed, the malware executed as a bash script that reset its own environment variables to change how it ran.

    This triggered the loading of an obfuscated file called “verify.js” hidden inside a Node package. The verify.js file contained checks for specific GitHub environment variables that only exist when code runs inside GitHub Actions.

    The code specifically targeted only repositories owned by the GitHub organization itself, confirming this was a precision attack.

    The malware obtained an encryption key from an external server, encrypted the stolen tokens, and then sent this encrypted data to a command and control server.

    Developers using Veracode’s Package Firewall were protected from this threat immediately after the discovery, but the incident demonstrates how vulnerable package managers remain to these sophisticated supply chain attacks.

    Follow us on Google NewsLinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

    The post Malicious npm Package with 206k Downloads Attacking GitHub-Owned Repositories to Exfiltrate Tokens appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • The D Brief: A second Southern Spear; Boeing strike ends; Heavy-lift competitor sticks landing; Anduril’s S. Korean lashup; And a bit more.

    ·

    The U.S. military’s war on drugs in Latin America has a (borrowed) name. “Today, I’m announcing Operation SOUTHERN SPEAR,” Defense Secretary Pete Hegseth posted Thursday. “Led by Joint Task Force Southern Spear and SOUTHCOM, this mission defends our Homeland, removes narco-terrorists from our Hemisphere, and secures our Homeland from the drugs that are killing our people. The Western Hemisphere is America’s neighborhood—and we will protect it.”

    Hegseth made the announcement on social media; he hasn’t held a press conference since late June

    And the Pentagon’s 20th known boat strike killed four more people on Wednesday, raising the death toll in these U.S. attacks to at least 80 people, CBS News reported. 

    ICYMI: To date, “U.S. officials have not provided specific evidence that the vessels were smuggling drugs or posed a threat to the United States” on any of the 20 known strikes, CBS reminds readers. And U.N. human rights chief Volker Türk said this week there are “strong indications” of “extrajudicial killings” in the Pentagon’s boat attacks. 

    “From what we know, these instances violate international human rights law,” he told French media.

    Notable: It wasn’t immediately clear how Hegseth’s announcement relates to the pre-existing Operation Southern Spear, an effort to “operationalize” the use of aerial and seaborne drones that the Navy’s 4th Fleet began running in the region in January. 

    A widening window into the White House’s legal decision-making process is emerging after more reporting Thursday from Charlie Savage of the New York Times, who has been tracking the development of a secret memo from the Justice Department’s Office of Legal Counsel. 

    The memo declared “extrajudicial killings of people suspected of running drugs were lawful as a matter of Mr. Trump’s wartime powers,” which Savage reports “contradicts a broad range of critics, who have rejected the idea that there is any armed conflict and have accused Mr. Trump of illegally ordering the military to commit murders.”

    The conclusion of the memo also “offers potential legal defenses if a prosecutor were to charge administration officials or troops for involvement in the killings. Everyone in the chain of command who follows orders that comply with the laws of war has battlefield immunity, the memo says, because it is an armed conflict,” the Times reports. 

    Expert reax: “It would be difficult to establish that the cargo on these vessels was a military objective under the law of war because there is no obvious connection between a shipment of drugs and military action by these supposed groups,” said former State Department lawyer Brian Finucane. 

    Another seemingly confusing wrinkle: “Despite concluding that an armed conflict is underway, the memo also says the operation is not covered by the War Powers Resolution,” Savage writes. Continue reading (gift link), here

    New: Just 29% of Americans support the U.S. military killing drug suspects without the involvement of a court or judge, according to survey results from Reuters/Ipsos published Friday. 

    More than half openly opposed the killings (51%), including 27% of Republicans polled in a survey of 1,200 adults that concluded this week. 

    Less than half supported designating drug cartels as foreign terrorist organizations (47%), including 75% of Republicans compared to just 22% of Democrats surveyed. 

    And starting a war to depose Venezuela’s leader? Just 21% of Americans supported it versus 47% opposed—including 49% of voters who said they are not aligned with the GOP or Democrats. Read the rest, here

    Additional reading:Family of Fisherman Killed in U.S. Military Strike Says It Wants Justice,” the New York Times reported Thursday from Colombia. 

    Welcome to this Friday edition of The D Brief, a newsletter dedicated to developments affecting the future of U.S. national security, brought to you by Ben Watson and Bradley Peniston. It’s more important than ever to stay informed, so thank you for reading. Share your tips and feedback here. And if you’re not already subscribed, you can do that here. On this day in 1969, NASA launched Apollo 12, its second moon-landing mission. 

    Industry

    Boeing Defense workers have approved a new contract, ending a strike that idled fighter-jet and weapons production in St. Louis for three months. “The roughly 3,200 members of the International Association of Machinists and Aerospace Workers (IAM) District 837 voted 68% in favor of approving the five-year contract. They will start returning to work as early as Sunday,” Reuters reported on Thursday. The New York Times also has a report, here.

    Anduril says it will build an autonomous vessel prototype in Korea. It’ll be the first fruit of a partnership with shipbuilding tidal HD Hyundai Heavy Industries, and is intended to lead to subsequent vessels built at the former Foss Shipyard in Seattle, Wash., the company said. The goal is to have infrastructure in place to compete for the Navy’s Modular Attack Surface Craft, or MASC, program, a combination of the service’s previous large and medium unmanned surface vessel programs. Defense One’s Lauren C. Williams reports, here.

    Related: See “How American and Chinese Drone Arsenals Stack Up,” via the Wall Street Journal reporting Friday. 

    Blue Origin’s giant reusable rocket matches SpaceX’s landing on second flight. Ten months after missing its “stretch goal” of sticking the landing in its maiden flight, the heavylift New Glenn booster touched down safely on a landing ship Thursday after launching a probe toward Mars. “I think New Glenn is the most promising competitor for SpaceX right now because it is the only other medium/heavy-lift launcher with reusability. ULA’s Vulcan and Arianespace’s Ariane 6 missed the boat on reusability and have no real chance at being cost-competitive,” said Todd Harrison, a senior fellow at the American Enterprise Institute, told Defense One in January. Space-dot-com has more, here.

    Fresh possible U.S. arms sales include the first batch of assistance to Taiwan since Trump took office in January. That pending sale includes “spare and repair parts, consumables and accessories, and repair and return support for F-16, C-130, and Indigenous Defense Fighter aircraft” for about $330 million, the Pentagon’s Defense Security Cooperation Agency announced Thursday.  

    And in a smaller package intended for Iraq, the U.S. is on the verge of selling Baghdad an array of communications equipment for a “country-wide repeater system” totalling about $100 million. DSCA has details. Congress could object to either of these packages, though that prospect seems unlikely. 

    It’s now been a week since SecDef Hegseth announced his arms procurement makeover from the National War College at Fort McNair in Washington. “Move faster and invest more—or we just might make you,” was how Defense One’s Lauren C. Williams characterized his effort.

    Second opinion: “There's nothing remotely transformative about this strategy. The admin is simply fulfilling arms industry demands for bigger, longer contracts, reduced weapons testing, and the ability to determine contract prices. Of course, they're justifying it all by fearmongering on China,” says Julia Gledhill of the Washington-based Stimson Center think tank, writing Thursday on social media. “The result will be unfettered weapons development and production—regardless of need, cost, or reliability. Hard to imagine how military contractors could tighten their grip on USA, Inc… but here we are,” she added. 

    Additional reading: 

    Trump 2.0

    Developing: Trump’s State Department says four left-wing groups in Europe are anti-fascist “foreign terrorist organizations.” The groups span Germany, Italy and Greece, and State Secretary Marco Rubio said Thursday he plans to announce the terrorist designations sometime next week. 

    Rubio: “Groups affiliated with this movement ascribe to revolutionary anarchist or Marxist ideologies, including anti-Americanism, ‘anti-capitalism,’ and anti-Christianity, using these to incite and justify violent assaults domestically and overseas,” he said in a statement Thursday. 

    The groups include Germany-based “Antifa Ost,” two organizations from Greece—Armed Proletarian Justice and Revolutionary Class Self-Defense—and one out of Italy the State Department refers to as the “Informal Anarchist Federation/International Revolutionary Front.” 

    By the way: Antifa Ost—Antifa east, in German—is “not a formal organization but a label used by German police, intelligence services, and media to describe a cluster of more militant anti-fascist activists in eastern Germany,” extremism researcher Amarnath Amarasingam noted on social media Thursday. 

    The designations come at least partly in response to physical attacks against neo-Nazis in Germany, including this 2023 Dresden court case involving beatings of far-right extremists using clubs and hammers. The other three groups have carried out select attacks over the past two years that have included explosive devices, but those did not result in injuries, Reuters reports

    Additional reading: 

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶