“Weekend Briefing” is a weekly newsletter sent to subscribers of The Readable every Friday. Our journalists select important news items from the previous week on topics ranging from privacy to policy development in cybersecurity, all to help you stay abreast of the latest breaking issues.
South Korea’s intelligence agency has issued new cybersecurity guidelines for hospitals following a surge in cyber threats attributed to North Korea. Meanwhile, multiple U.S. government agencies have released a warning about a cyber threat known as “Fast Flux.” Separately, a cybersecurity professor from Indiana University is under federal investigation for allegedly failing to disclose research funding from China. This briefing also includes two updates from Google Cloud: one concerning North Korean operatives and another addressing the latest critical software vulnerabilities.
Next week, I’ll be covering Google Cloud Next in Las Vegas. As a result, our weekend briefing will be replaced with an on-site report from the event.
This is Dain Oh reporting from South Korea, and here is your weekend briefing.
1. North Korean cyberattacks on hospitals trigger national security response – The Readable
In response to escalating cyber threats targeting healthcare systems—particularly from North Korean hacking groups—South Korea’s National Intelligence Service (NIS) has issued new cybersecurity guidelines for hospital information systems. The measures are designed to protect patient data and ensure the continuity of hospital operations, which are critical to public safety. In recent years, North Korean and other cyber actors have ramped up attacks on medical institutions, stealing sensitive information and disrupting services through ransomware and other malicious methods.
The threat is intensifying as North Korea recently declared 2025 the “Year of the Health Revolution,” directing its hacking units to target South Korean bio and healthcare networks. Their tactics include widespread phishing campaigns aimed at hospital staff and efforts to steal medical technologies and patient data. Similar attacks have occurred abroad, notably in the U.S. and Australia, resulting in leaked patient information and disrupted hospital operations. These incidents underscore the critical urgency of addressing this growing cybersecurity threat.
To address these risks, the NIS, in partnership with the Ministry of Education, the Ministry of Health and Welfare, and hospital stakeholders, has created a comprehensive “Hospital Information System Security Guideline.” This guideline establishes standardized security models across six key areas of hospital IT systems and provides practical solutions tailored for both public and private medical institutions. To support effective implementation, the NIS is hosting field briefings and seminars for cybersecurity professionals in the healthcare sector.
2. North Korean IT operatives expand footprint into Europe, raising global cybersecurity concerns – The Readable
On Wednesday, Google’s Threat Intelligence Group (GTIG) reported a concerning rise in cyber threats tied to North Korean IT workers. North Korean IT workers, once primarily active in the U.S., are now expanding significantly into the European market.
As the U.S. strengthens its awareness and defensive measures—marked by a rise in arrests and investigations involving individuals linked to North Korea—these operatives are increasingly shifting their focus to more vulnerable regions, especially in Europe, according to GTIG analysis.
In a notable case from late 2024, a North Korean IT worker was found using at least a dozen fake identities across Europe and the U.S. The individual actively sought positions in sectors vital to national security, such as defense industrial bases and government agencies in Europe. Their efforts were part of a highly coordinated scheme that included forged references, strategic rapport-building with recruiters, and the repeated use of false personas to mislead employers. READ MORE
3. NSA warns of fast flux technique as growing cybersecurity threat – NSA
The U.S. National Security Agency (NSA), in collaboration with its partners, has issued a warning about a cyber threat known as “Fast Flux.” This technique is employed by cybercriminals and nation-state hackers to repeatedly change the IP addresses associated with a single domain name. By doing so, they can conceal malicious activities—such as phishing campaigns or cyberattacks—while making detection and blocking efforts significantly more challenging.
Fast Flux enables attackers to make their activities appear as if they are originating from numerous locations within a short timeframe. This rapid IP address switching complicates detection and response efforts by security systems, providing hackers with extended opportunities to steal sensitive data or disrupt services. The technique is frequently employed in large-scale, coordinated cyberattacks.
To counter the Fast Flux threat, the NSA advises implementing multiple detection strategies and utilizing services such as Protective DNS (PDNS), which can block malicious internet traffic. The agency particularly urges defense-related organizations to adopt these protections as part of their cybersecurity efforts. Additionally, the NSA offers free cybersecurity services, including PDNS, to eligible defense contractors.
4. Google uncovers Chinese cyber espionage exploiting critical Ivanti VPN flaw – Google Cloud
A critical vulnerability in Ivanti Connect Secure VPN appliances, tracked as CVE-2025-22457, has been actively exploited by the China-affiliated threat actor UNC5221. This buffer overflow vulnerability allows remote code execution and was targeted as early as mid-March 2025, weeks before Ivanti officially disclosed the issue in April. Google’s Threat Intelligence team reports that this activity aligns with UNC5221’s ongoing strategy of exploiting zero-day vulnerabilities in edge devices since 2023.
After exploiting the vulnerability, the attackers deployed two previously unknown malware families: TRAILBLAZE, an in-memory dropper, and BRUSHFIRE, a stealthy passive backdoor. They also utilized the SPAWN malware suite and attempted to manipulate Ivanti’s Integrity Checker Tool to avoid detection and maintain persistence. These tactics emphasize UNC5221’s focus on stealth and establishing long-term access to compromised systems.
Ivanti released patches for the vulnerability in version 22.7R2.6 on February 11, 2025. Organizations using affected appliances are strongly advised to upgrade immediately and follow Ivanti’s security advisories. This incident highlights the critical need for proactive threat intelligence and swift patch management to counter advanced state-sponsored cyber threats.
5. FBI investigates Indiana University professor over undisclosed China-linked research funding – Wired
XiaoFeng Wang, a well-known cybersecurity professor at Indiana University, is under federal investigation for allegedly receiving undisclosed research funding from China. On March 28, 2025, the FBI and Department of Homeland Security searched his residences in Bloomington and Carmel, Indiana. On the same day, Indiana University terminated Wang’s employment without providing a public explanation, sparking concerns among faculty members regarding due process.
Wang’s attorney, Jason Covert, confirmed that neither Wang nor his wife, Nianli Ma, have been arrested or charged, and both are safe. The investigation is reportedly focused on allegations that Wang failed to disclose a 2017–2018 grant from China in his applications for U.S. federal research funding, which could potentially amount to research misconduct.
The case has drawn comparisons to the U.S. Department of Justice’s former China Initiative, which was heavily criticized for alleged racial profiling of Chinese-born researchers. This situation highlights ongoing tensions and sensitivities surrounding international research collaborations and the disclosure of foreign funding in academia.
6. DOGE official at DOJ bragged about hacking, distributing pirated software – Reuters
Christopher Stanley, a senior advisor at the U.S. Department of Justice, is facing scrutiny following revelations that he previously operated websites distributing pirated software, ebooks, and video game cheats. He also allegedly boasted about hacking rival platforms during his youth. These past actions, which may have violated federal laws, have sparked concerns regarding his suitability for a high-level position with access to sensitive national security information.
Prior to his role at the DOJ, Christopher Stanley worked as an engineer at Elon Musk’s companies, X (formerly Twitter) and SpaceX. Despite his controversial background, the DOJ has confirmed that Stanley holds a valid security clearance, and Attorney General Pam Bondi has publicly expressed full confidence in him. However, cybersecurity and national security experts have raised concerns that appointing someone with a history of hacking and piracy could pose risks and undermine trust in government vetting standards.
Editor’s note: Each item in this briefing was initially summarized or translated by ChatGPT-4o based on the author’s specific instructions, which included news judgment, fact-checking, and thorough editing before publication.
