The Tactics of Nation-State Actors are Shifting

From the Editor’s Desk

This week’s headlines make one thing clear: the tactics of nation-state actors are shifting from remote malware campaigns to deeper infiltration efforts — through hiring, social engineering and workforce shortages. As defenders, we must ask: are our threat models keeping pace with these human-centric attacks?

🔎 Deep Brief

Lazarus recruitment exposed live a new form of infiltration

Researchers from BCA LTD, ANY.RUN and NorthScan recorded live footage of the Lazarus Group conducting recruitment, hiring and initial network infiltration efforts under the guise of legitimate remote job offers. The group offered 35 percent of a salary in exchange for “access to laptops to work in.” Instead of real laptops, the researchers provided sandboxed virtual machines that looked like ordinary developer workstations. Over months, the attackers operated within these machines, executing the full multitage “Chollima” attack cycle: from initial access to reconnaissance and persistence.

This incident signals a shift. Rather than rely only on zero-day exploits or supply-chain attacks, Lazarus is now recruiting insiders, or insiders masquerading as job-seekers, to gain access within target firms. Employers and security teams should treat unexpected technical-role recruiter outreach with high suspicion and validate every candidate’s identity and background. 

🧠 Strategy in Action

Virtual Cyber Academy proposed to address national workforce shortage

In the United States, Internet Security Alliance (ISA) has called for a virtual cybersecurity academy, dubbed “Cyber U”, to tackle the profound shortage of trained cyber defenders across government and industry. 

According to ISA, the country faces as many as 500,000 to 750,000 unfilled cybersecurity positions, including 35,000 within the federal government.  The proposed academy would combine online coursework, virtual labs, and live-capstone projects, enabling students from across the country to acquire real-world skills without relocating. ISA suggests graduates could serve in government roles first, then transition to private sector positions, creating a steady flow of trained professionals. 

🕵️ Threat Actor Spotlight

🛠️ Tool Check

Monitoring SQL Server

Manual dashboards and basic log analysis are no longer sufficient for modern deployments, especially in hybrid cloud or virtual-database environments.

When databases scale, performance issues or anomalies can trigger not only downtime but also expose data or leave systems vulnerable to attack. Automated monitoring tools provide real-time visibility into server health, query behaviour, user activity, and anomalous patterns.

For organizations running multiple SQL servers, using one of these tools can reduce dependency on manual log reviews, help detect suspicious behaviour early, and support faster incident response - contributing to overall operational resilience.

Comparitech lists down the best SQL server monitoring tools, along with a detailed review, pros, and cons of each to help you make informed decisions.

🗣️ Community Signal

There are ways to mitigate and one of them is most of these repositories now allow you to pin versions so you don't automatically download the new version. And if you are not pinning your NPN libraries, please do us all a favor and start pinning them and checking carefully before you download the super duper extra groovy update. Leo Laporte, co-host Security Now!

📚 Don’t Miss This

• ​​Darkstrike Adds Four Senior U.S. Government Cyber and AI Leaders, Strengthening Its Position as a Category Leader in AI Safety and Cybersecurity

• Russia Signals Readiness to Renew Cybersecurity Co-Op with US

• James Uthmeier files subpoena against Wi-Fi router tech firm, alleges links to China

Until Friday’s edition - Let’s keep that zero-day count at zero!