Jordan: Half of all cyberattacks hitting the U.S. tech sector in the past year came from one country. Not China. Not Russia. North Korea. CrowdStrike just put a number on something a lot of us have felt for a while, and it's a number that should change how every tech CISO thinks about insider threat. That's where we start today.

Alex: Good morning. It's Thursday, June 11th, and this is Cleartext. I'm Alex Chen, alongside Jordan Reeves. We've got a packed show. We're going to dig into that CrowdStrike data on North Korean operations, then pivot to China's expanding botnet targeting U.S. military networks. We'll cover a record-breaking four-hundred-nine-million-dollar breach fine in South Korea that should be on every board's radar. CISA just compressed federal patch timelines to three days, and we need to talk about what that means for the private sector standard of care. We have two critical actively-exploited vulnerabilities — Oracle PeopleSoft and Ivanti Sentry — that demand immediate action. Plus the evolution of extortion-only attacks, a fast-rising ransomware group, and a ServiceNow exposure you need to check. Let's get into it.

Jordan: So the CrowdStrike data. Nearly fifty percent of all intrusions against U.S. tech companies in the last twelve months attributed to North Korean actors. And the primary vector isn't some exotic zero-day chain. It's people. Fake IT workers getting hired as remote contractors. Fake recruiters approaching your engineers on LinkedIn. This is social engineering at an industrial scale, and it's funding a nation-state.

Alex: What makes this so challenging from a CISO perspective is that it straddles a seam in most organizations. Insider threat programs typically focus on existing employees behaving badly. HR and procurement handle contractor vetting. Recruiting handles inbound talent. North Korea has built an operation that exploits the gaps between those functions. And if you're a tech company that scaled your remote workforce aggressively over the past few years, you need to honestly assess whether your identity verification and contractor onboarding controls are robust enough to catch a well-backstopped fake persona.

Jordan: And we should be clear about what's at stake. This isn't just espionage. North Korea's GDP growth is materially linked to revenue from these operations. They're stealing intellectual property, they're stealing cryptocurrency, they're getting paid salaries as fake contractors that flow directly back to the regime. CrowdStrike has been tracking this trajectory for years, but the scale — half of all tech sector intrusions — that's a threshold that should trigger a fundamental reassessment. If you're in tech, semiconductors, AI, biotech, defense-adjacent software — this is your primary threat actor. Not a secondary one.

Alex: The actionable takeaway here: if you haven't integrated your insider threat program with your contractor vetting and your recruiting pipeline, you're leaving a door open that the most active threat actor in your sector is specifically designed to walk through.

Jordan: Staying on the geopolitical track, let's talk about the JDY botnet. Lumen researchers have documented a significant expansion. This botnet, linked to Chinese state actors in the Volt Typhoon orbit, now comprises over fifteen hundred compromised small-office and IoT devices. And the targeting has expanded explicitly to U.S. military networks.

Alex: This is the pre-positioning story we've been discussing for two years now, and it keeps escalating. JDY isn't delivering payloads. It's mapping. It's a centrally controlled, high-performance scanner that fingerprints exposed services at scale, continuously. Think of it as persistent reconnaissance infrastructure. If you're a defense contractor, if you're in the defense industrial base supply chain, the intelligence preparation of the battlefield is happening against your network right now.

Jordan: The SOHO device angle is important here. These botnets are built on commodity routers, IP cameras, NAS boxes — devices that most enterprise security teams don't manage directly but that sit on the edges of their extended networks. Your employees' home routers. Your small-office branch equipment. This is the attack surface China keeps exploiting because it's the one nobody patches.

Alex: Let's shift to governance, because we have two stories that together paint a very clear picture of where regulatory pressure is heading. South Korea just fined Coupang six hundred twenty-four billion won — roughly four hundred nine million dollars — for a breach affecting thirty-seven million customers. That's a record for the Asia-Pacific region by an enormous margin.

Jordan: To put that in context, the previous largest South Korean enforcement action was a fraction of this. This isn't incremental escalation. This is a step function. And for any CISO operating in Asia-Pacific or with customers in the region, this number will get cited in every regulatory risk conversation for the next five years.

Alex: Exactly right. And when I talk to boards, the question is always: what's our realistic financial exposure from a breach? This gives you a very concrete data point. Regulators globally are watching each other. The EU set the pace with GDPR fines. South Korea just sent a signal that Asia-Pacific will match or exceed that aggressiveness. If your board hasn't updated its breach liability modeling recently, this is the catalyst.

Jordan: And then pair that with CISA's new Binding Operational Directive, BOD 26-04. Federal agencies now have to patch the highest-risk exploited vulnerabilities within three days. Three days. And CISA explicitly cited AI-accelerated exploitation as the driver.

Alex: This is the one I want every CISO listening to internalize, not because it applies directly to you if you're in the private sector, but because it will become the benchmark. When a plaintiff's attorney or a regulator asks what a reasonable standard of care looks like for patching critical exploited vulnerabilities, they're going to point to this directive. Three days. If the federal government says three days is the standard, your thirty-day SLA for critical vulnerabilities is going to look indefensible in litigation. The risk-tiered model CISA introduced — weighting severity, exploitability, and asset exposure — is actually well-designed. I'd encourage teams to benchmark against it voluntarily.

Jordan: Which brings us directly to two vulnerabilities that are testing everyone's patch SLAs right now. Let's start with the more severe one. CVE-2026-35273 in Oracle PeopleSoft PeopleTools, versions 8.61 and 8.62. This is a zero-day. Remote code execution. No authentication required. Oracle pushed an out-of-band alert, and Mandiant's Charles Carmakal confirmed active exploitation in the wild. ShinyHunters is already claiming data theft from over a hundred organizations through this vector.

Alex: If you run PeopleSoft HCM or ERP, stop what you're doing and patch. I don't say that lightly. An unauthenticated RCE in a system that typically holds your entire HR dataset — social security numbers, compensation data, banking information — with a financially motivated group actively harvesting that data at scale. This is an emergency. Full stop.

Jordan: Second one. Ivanti Sentry. Maximum severity. Remote code execution with root privileges on internet-exposed secure mobile gateways. Ivanti has released a patch, but active exploitation is confirmed.

Alex: Ivanti has been a recurring theme for the past three years. If you have Ivanti infrastructure exposed to the internet, you already know the drill. Patch immediately, and then conduct a compromise assessment assuming the patch window may have already been exploited. Given Ivanti's history, I'd also push your team to review whether you still need this product exposed to the internet at all, or whether there's an architectural mitigation that reduces the surface.

Jordan: Shifting to the extortion landscape. New research confirms what we've been seeing anecdotally — extortion-only attacks, where adversaries steal data without ever deploying ransomware, are increasing as a share of total incidents. Data theft now dominates ransomware insurance claims.

Alex: This is a strategic shift that should change how CISOs think about resilience. For years, the playbook was: if we have good backups, we can recover from ransomware without paying. That's still true for encryption-based attacks. But if the adversary skips encryption entirely, steals your data, and threatens to publish it, your backups are irrelevant. Your recovery plan doesn't address the actual harm. This demands investment in data classification, data loss prevention, and egress monitoring — the controls that detect and prevent exfiltration, not just recover from encryption.

Jordan: And the research highlights something uncomfortable: most organizations cannot prevent stolen data from being exposed once exfiltration has occurred. Payment doesn't reliably prevent publication. So the entire leverage model has shifted to pre-exfiltration detection. If you miss it before it leaves, your options narrow dramatically.

Alex: Two more items quickly. Krebs has a detailed attribution piece on The Gentlemen, now the second most active ransomware group by victim count. They're offering affiliates a ninety percent revenue split, which is well above industry norms, and it's fueling rapid growth. Make sure your threat intelligence team and your incident response retainer are briefed on their TTPs.

Jordan: And ServiceNow disclosed that a security bug exposed data from several customer instances to the public internet. Bug bounty activity preceded the disclosure, suggesting the exposure window may be longer than the formal timeline indicates. If you're a ServiceNow customer, verify whether your instance was affected. And more broadly, this is a reminder that deeply integrated enterprise SaaS platforms are a significant risk surface. Your ServiceNow instance probably touches HR data, IT asset data, incident data, change management workflows. That's high-value information if it's exposed.

Alex: Let's step back and look at the week's emerging theme. Jordan, what stands out to you?

Jordan: The convergence of speed and accountability. CISA is telling agencies three days to patch. Regulators are issuing four-hundred-million-dollar fines. Threat actors — whether North Korean social engineers or Chinese reconnaissance botnets or ransomware groups offering ninety-percent splits — they're all operating faster and at greater scale. The window between vulnerability disclosure and exploitation keeps compressing. The financial consequences of failing to keep up keep expanding. And the traditional organizational seams — between IT and HR, between the SOC and procurement, between the security team and the SaaS vendor — those are exactly where adversaries are operating.

Alex: I agree. The message to CISOs this week is that the standards you'll be held to are tightening from every direction — regulators, insurers, plaintiffs, and the adversaries themselves. If your program is built around thirty-day patch cycles, annual vendor assessments, and a backup-centric ransomware strategy, you're operating on assumptions that no longer hold. The organizations that will fare best are the ones treating speed, identity rigor, and data-centric controls as foundational, not aspirational.

Jordan: And if you take one action today: check your PeopleSoft exposure. That one can't wait.

Alex: That's our show for Thursday, June 11th. Show notes and links to every story we covered are at cleartext.fm. Thanks for listening. We'll see you tomorrow.

Jordan: Stay sharp.