L3Harris Exec Sentenced to 7 Years for Selling Eight Zero-Days to Russian Broker Operation Zero
Peter Williams, 39, the former general manager of Trenchant — a specialized L3Harris division that develops zero-day exploits exclusively for the U.S. government and Five Eyes allies — was sentenced Tuesday to 87 months in federal prison for stealing and selling eight exploit components to Russian broker Operation Zero between 2022 and 2025. Williams used his privileged access to copy the tools onto a portable hard drive from Trenchant’s offices in Sydney and Washington D.C., then negotiated sales under the alias “John Taylor” via encrypted channels, receiving $1.3 million in cryptocurrency — proceeds he used to buy real estate, luxury watches, and jewelry — while the tools themselves gave Operation Zero the ability to target millions of civilian and military devices worldwide and were estimated to have caused $35 million in losses to his employer. On the same day as the sentencing, the U.S. Treasury Department sanctioned Operation Zero, its founder Sergey Zelenyuk, and five affiliated individuals and entities; a restitution hearing is set for May 12, 2026, and Williams will serve his sentence in the U.S. before being deported to Australia.
The Scattered LAPSUS$ Hunters (SLH) cybercrime collective — an alliance of Lapsus$, Scattered Spider, and ShinyHunters members — was observed on February 22nd advertising on a public Telegram channel for female recruits to conduct vishing attacks against corporate IT help desks, offering between $500 and $1,000 upfront per call along with pre-written impersonation scripts. Threat intelligence firm Dataminr, which detected the recruitment posts, assessed that SLH is deliberately diversifying its social engineering talent pool to increase the success rate of help desk impersonation calls, exploiting the reality that voice-based attacks by female callers may circumvent profiling and bypass security awareness training that tends to model attackers as young men. Organizations should brief help desk staff about this specific recruitment trend, enforce out-of-band identity verification such as video calls for all password resets or MFA changes requested by phone, and prioritize deployment of phishing-resistant FIDO2 authentication to remove the human element from the equation entirely.
Check Point Research published findings on three vulnerabilities in Anthropic’s Claude Code CLI — two assigned CVEs (CVE-2025-59536 and CVE-2026-21852) — that could allow an attacker to achieve full remote code execution and steal developer API credentials simply by convincing a target to clone and open a malicious repository, with no further user interaction needed. The attack abuses legitimate Claude Code features: the Hooks system executes arbitrary shell commands defined in a repository’s .claude/settings.json before the trust dialog appears; MCP server configuration files could be used to bypass consent controls; and the ANTHROPIC_BASE_URL environment variable could be overridden in project config to route all API traffic — including authentication headers containing plaintext API keys — to an attacker-controlled server before the user sees any warning. Anthropic has fully patched all three issues in Claude Code version 2.0.65 and above and has added enhanced trust dialogs and hardened consent requirements; developers using earlier versions should update immediately, and security teams should add AI coding tool configuration files to their threat model alongside traditional software dependencies.
Researchers at Have I Been Squatted, working with threat intelligence firm Ctrl-Alt-Intel, have exposed and helped disrupt Diesel Vortex, a Russia-linked cybercrime group that spent at least five months building and operating a phishing-as-a-service platform specifically targeting the freight and logistics sector across the U.S. and Europe, ultimately stealing 1,649 unique credentials from users of platforms like DAT Truckstop, Penske Logistics, Electronic Funds Source, Teleroute, and Timocom. The operation was discovered after the group accidentally left an exposed .git directory on a phishing server, which allowed researchers to reconstruct the full source code, victim database, and internal Telegram operator logs — revealing a highly structured criminal enterprise complete with a call center, dedicated staff roles, phishing kits using Cyrillic homoglyphs to evade filters, and real-time Telegram-based consoles that let operators intercept credentials and MFA codes live as victims typed them. Beyond credential theft, the group used stolen access to redirect freight shipments, commit cargo fraud, and execute check fraud against EFS fuel card accounts; the infrastructure has since been taken down following a coordinated action involving GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft Threat Intelligence Center.
Google’s Threat Intelligence Group and Mandiant published a report Wednesday disclosing that they have disrupted the infrastructure of a China-nexus cyber espionage group tracked as UNC2814, which breached at least 53 organizations spanning governments and telecommunications providers across 42 countries — with suspected ties to infections in over 20 additional nations. The group’s signature tool, a novel backdoor dubbed GRIDTIDE, abuses the Google Sheets API as its command-and-control channel, using a cell-based polling mechanism to receive commands and transmit data in a way that makes malicious traffic indistinguishable from ordinary SaaS activity — a deliberate evasion technique against network-based detection. GRIDTIDE was preferentially deployed on endpoints containing personally identifiable information, consistent with a surveillance-focused espionage mandate; as part of the disruption action, Google terminated all attacker-controlled Google Cloud Projects, disabled known UNC2814 infrastructure, and cut off API access — though the group’s long dwell times across dozens of victim organizations underscore how effectively SaaS-based C2 can evade defenders for extended periods.
