Cyber Intelligence Weekly (December 14, 2025): Our Take on Three Things You Need to Know // Echelon Risk + Cyber

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight that we’ve recently added to our leadership ranks by bringing aboard Josh Anderson, former CISO and CIO.

𝗪𝗵𝗮𝘁 𝗮 𝗱𝗶𝘀𝗿𝘂𝗽𝘁𝗼𝗿, 𝗶𝗳 𝘄𝗲 𝗱𝗼 𝘀𝗮𝘆 𝘀𝗼 𝗼𝘂𝗿𝘀𝗲𝗹𝘃𝗲𝘀. 😏

Recognized right here in our HQ city. We’re proud to share that Josh Anderson was featured in the Pittsburgh Business Times Journal’s People on the Move, recognizing his 25 years of CIO/CISO leadership – and the role he now plays helping organizations navigate risk through Echelon’s vCISO practice.

Away we go!

1. Chinese-Linked APT Targets Cisco Email Security Appliances in Stealthy Campaign

Security researchers are tracking an active and highly targeted campaign against Cisco email security infrastructure, underscoring once again how perimeter and messaging systems remain prime real estate for sophisticated adversaries. The activity, which has been ongoing since at least late November, focuses on Cisco Secure Email Gateway and Secure Email and Web Manager appliances running AsyncOS. According to threat intelligence findings, only systems running non-standard configurations appear to be impacted, but the tradecraft involved points to a well-resourced and disciplined operator.

The attacker—tracked as UAT-9686—is assessed with moderate confidence to be aligned with a Chinese state-linked threat ecosystem. What makes this campaign notable isn’t just the access achieved, but the persistence strategy that follows. Once inside, the actor deploys a lightweight, custom Python backdoor dubbed “AquaShell,” which quietly embeds itself into a legitimate web server file on the appliance. The implant passively listens for specially crafted HTTP requests, allowing the attacker to execute system-level commands without authentication while blending into normal web traffic.

To maintain long-term access and operational flexibility, the campaign layers in additional tooling. Reverse tunneling utilities such as AquaTunnel and Chisel enable outbound connections that bypass traditional firewall controls, allowing attackers to pivot deeper into affected environments. Meanwhile, a log-manipulation utility called AquaPurge is used to selectively scrub evidence of malicious activity, making detection and forensic reconstruction significantly more difficult for defenders.

For organizations running Cisco email security platforms, the takeaway is straightforward but urgent. Email gateways sit at a uniquely sensitive intersection of trust, identity, and external connectivity, making them high-value targets for espionage-oriented actors. Cisco has issued detailed guidance and mitigations, and customers are strongly advised to review configurations, apply recommended updates, and investigate any indicators of compromise immediately. As this campaign shows, even hardened security infrastructure can become an attack vector when configuration drift and visibility gaps go unchecked.

Cloud Security Reality Check: Complexity Is the New Attack Surface

This past week also reinforced a hard truth about cloud security: most breaches don’t require zero-days—they require patience. Incident response teams continue to report that attackers are exploiting long-standing cloud misconfigurations, especially around identity, storage, and unmanaged services. As environments sprawl across accounts, regions, and platforms, visibility gaps—not vulnerabilities—are doing the most damage.

One recurring theme stands out: cloud services are evolving faster than most security programs. New managed services, AI platforms, and serverless components are often deployed without the same rigor as traditional infrastructure. Attackers are capitalizing on this imbalance, scanning for forgotten endpoints, overly permissive identities, and exposed management interfaces that quietly sit outside standard monitoring.

For organizations, this is a governance problem as much as a technical one. Strong cloud security today requires continuous posture management, ownership clarity across teams, and the discipline to treat every new service as production-critical from day one. The cloud isn’t inherently insecure—but unmanaged complexity is.

2. French Interior Ministry Confirms Breach After Days-Long Cyber Intrusion

France’s French Interior Ministry has confirmed it was the target of a sustained cyber intrusion that unfolded over several days, resulting in unauthorized access to internal email accounts and sensitive police databases. The breach, disclosed publicly by Interior Minister Laurent Nuñez, underscores how even highly resourced government institutions remain vulnerable when attackers exploit everyday communication systems rather than hardened infrastructure.

According to officials, the attackers gained access to professional email inboxes and were able to harvest credentials that unlocked internal systems. From there, they consulted files tied to France’s criminal records and wanted persons databases—repositories that support law enforcement investigations nationwide. While authorities say only a limited number of records may have been exfiltrated so far, they also acknowledged that the full scope of the compromise is still being assessed as the forensic investigation continues.

Notably, the incident does not appear to involve ransomware or extortion, and officials have pushed back strongly on claims circulating online that data belonging to millions of people was accessed. Instead, the breach appears to reflect a more targeted intrusion, one that prioritizes intelligence access over disruption. The government has notified France’s data protection authority and launched both judicial and administrative inquiries, with the country’s anti-cybercrime office now leading the investigation.

Perhaps the most telling detail came from the minister himself, who attributed the initial foothold to basic lapses in security hygiene. The episode is a reminder that even sophisticated national security organizations can be undermined by small breakdowns in user behavior. For security leaders everywhere, the lesson is familiar but increasingly urgent: email remains a frontline attack surface, and a handful of compromised accounts can cascade into systemic exposure if identity controls, monitoring, and user discipline aren’t relentlessly enforced.

When AI Becomes the Operator, Not the Tool

Over the past week, security researchers and government agencies have confirmed something many of us expected but hoped would take longer: AI is no longer just assisting attackers—it’s beginning to operate autonomously inside live cyber campaigns. Multiple reports show state-aligned actors using large language models during active intrusions to generate commands on the fly, adapt malware behavior mid-execution, and evade traditional detection. This marks a meaningful shift from “AI-assisted hacking” to AI-directed operations.

What makes this moment particularly important is speed. Once proof-of-concept techniques surfaced, attackers operationalized them almost immediately. Instead of relying on pre-scripted commands, malware now queries AI models in real time, dynamically rewriting itself to bypass controls. From a defender’s standpoint, this collapses the window between disclosure, weaponization, and exploitation.

The takeaway for security leaders is not panic—but realism. Detection strategies built around static indicators and known behaviors are no longer enough. Organizations need stronger behavioral analytics, tighter control over outbound AI access, and clear policies governing where and how AI systems are allowed to interact with production environments. AI is now part of the attack surface, whether we planned for it or not.

3. UK Health Tech Supplier Breached as Third-Party Risk Remains in Focus

A British health technology provider whose software underpins everyday clinical workflows across England has disclosed a cybersecurity incident involving unauthorized access to its internal office servers. DXS International, which supplies decision-support and referral management tools used by GP practices nationwide, said it detected the intrusion in mid-December and moved quickly to contain it. The company emphasized that its clinical services remained operational throughout the incident, a critical distinction given the sensitivity of healthcare delivery systems.

While there is currently no confirmation that patient data was compromised, the incident highlights how deeply embedded technology suppliers can become high-impact targets, even when they are not custodians of core medical records. DXS’s platforms integrate directly with National Health Service systems and are involved in roughly one in ten referrals across England, touching workflows tied to millions of registered patients. As a precautionary step, the company has notified the UK’s data protection authority, the Information Commissioner’s Office, while forensic investigations continue.

The breach lands against the backdrop of a difficult few years for healthcare cybersecurity in the UK, where third-party suppliers have increasingly been the point of failure. A ransomware attack on pathology provider Synnovis last year was linked to widespread disruption and, tragically, at least one patient death. Earlier still, an attack on software vendor Advanced forced the shutdown of the NHS 111 service, pushing clinicians back to pen and paper and prompting emergency government coordination. In both cases, patient care was directly affected despite the attackers not breaching hospital systems themselves.

What makes the DXS incident particularly notable is the regulatory gap it exposes. Many third-party health IT providers are not automatically subject to the same cybersecurity obligations as core healthcare operators. That may soon change. The UK government’s proposed Cyber Security and Resilience Bill aims to bring managed service providers supporting critical sectors, including healthcare, under tighter oversight with the threat of significant fines. For healthcare leaders and their suppliers alike, the message is becoming unmistakable: resilience now extends far beyond the walls of the hospital or clinic, and vendor security is inseparable from patient safety.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about