Research and Innovation OSINT Digest 250808
The information is open source only and this digest is produced for information only.
EXECUTIVE SUMMARY:
EXECUTIVE SUMMARY:
In July 2025, SECURED observed 26 security incidents affecting HEIs from open-source data, a 30% increase on June 2025. Of these incidents, 69.2% were cyber, 23.1% hybrid, and 7.7% physical. Security incidents recorded in July 2025 underline that cyber threats remain the most significant risk facing HEIs. There was a marginal 1.5% increase in cyber incidents in July 2025 from June 2025.
July 2025 also saw hybrid events increase by 9.5% of the total security events from June 2025, especially state-linked espionage incidents. Chinese-linked espionage operations continue to prioritise sensitive intellectual property theft from academic institutions. Chinese espionage is likely to increase in volume and intensity given greater centralisation of China’s science and technology ecosystem in line with the Chinese Communist Party’s (CCP) military, technological, and political objectives.
In response to the growing threat of Chinese academic interference and espionage, the US government is intensifying pressure on US HEIs to sever ties with Chinese entities and funding bodies. In contrast, the UK policy stance on China remains less defined. UK institutions risk losing access to US research partnerships and funding if they maintain affiliations with Chinese actors, while also allowing potentially high-risk relationships to develop.
At Tyburn St Raphael, we specialise at countering threats to cutting-edge research and innovation. Our security practitioners come exclusively from UK government, military, and academic backgrounds.
We are experts in providing travel security assessments and strengthening organisational security posture to protect intellectual property.
TYBURN Recommendations:
Assess cyber resilience and recovery capabilities amid rising cyber threats
Cyber incidents in July have highlighted the operational challenges HEIs face in returning to business as usual after an incident, with recovery protocols often failing under real-world conditions. Institutions should prioritise a review of their incident response and recovery plans, with testing informed by current intelligence on threats.
Support at-risk researchers with tailored security provision
Researchers working on cutting edge or sensitive projects face elevated threats and will be required to adopt more stringent security controls. Institutions should ensure these people have the welfare and operational support required to do their work effectively amid tighter controls.
Engage external experts for open-source monitoring for security risks
Security risks are evolving as HEIs face increased targeting by state-level actors using hybrid threat vectors. The shifting geopolitical landscape is transforming previously low-risk partnerships into high-risk exposures. Engaging external experts with open-source monitoring capabilities can provide institutions with timely, actionable intelligence to support proactive decision-making and early risk mitigation.
Incident data
Open-source data on security incidents with commentary
Universities in Southern Texas - 03/07/2025 - US - Cyber
Event: On 3 July 2025, Italian authorities arrested Xu Zewei (徐泽伟) in Milan at the request of the US. Xu faces charges of wire fraud, aggravated identity theft, and unauthorised access to computers in connection to the HAFNIUM cyber threat actor group – a sophisticated, state-sponsored threat group who conducted a campaign between 2020 and 2021 targeting US universities and legal entities to steal COVID-19 research and other sensitive information on behalf of the Chinese government. Link 1 Link 2 Link 3 Link 4
Comment: US authorities allege that Xu, working in collaboration with another Chinese national Zhang Yu (张宇), conducted a coordinated hacking campaign directed by two Chinese intelligence agencies: the Ministry of State Security (MSS) and the Shanghai State Security Bureau (SSSB). According to the FBI’s cyber division, HAFNIUM targeted over 60,000 US entities and successfully exfiltrated sensitive information from more than 12,700 of them. While COVID-19 research data was likely the primary objective, it is highly likely that HAFNIUM collected intelligence from email addresses to support further targeting efforts. For instance, access to communication between researchers almost certainly allowed HAFNIUM to map social networks, enabling them to develop targeted packages or elicitation strategies which could be used to steal further COVID-19 data or other sensitive research. In contrast to other cyber incidents at universities in July 2025, this incident is an example of a sophisticated state-sponsored campaign against multiple universities in the US, underlining the immediacy of this threat.
Edinburgh University - 04/07/2025 - 10/07/2025 - UK - Physical
Event: Between 4 and 10 July 2025, a large number of students at the University of Edinburgh led a walk out of their graduations in protest at the institution's links to Israel. Protesters unveiled pro-Palestine flags and shouted at academic staff conducting the ceremony. Edinburgh University responded that while it respects lawful and peaceful protests, that it was disappointed that protesters interrupted ceremonies and created what the university termed a hostile environment. A Responsible Investment Advisory Group has been established to assess the university's current investment in response to the action. Link 1 Link 2
Comment: Protesters stated that their actions were prompted by a UN special report on the Occupied Palestinian Territories, which identified the University of Edinburgh as one of the UK institutions most financially entangled with Israel. According to a website affiliated with the protesters, campus security allegedly profiled individuals attending a graduation ceremony and denied them entry. In response, the protesters claimed that “suppressing dissent is evidently the primary role of Edinburgh University security, not the protection of students.” The incident underlines reputational risks to universities amid heightened political tensions over the Middle East.
Seven US universities - 08/07/2025 - US - Hybrid
Event: On 8 July 2025, seven US HEIs received letters from the US Select Committee on the Chinese Communist Party, pushing the institutions to cut ties with the China Scholarship Council (CSC) and demanding insight into the institutions’ relationships with the CSC, among other requirements. Dartmouth and Notre Dame universities responded by saying that they had already cut ties with the CSC. Link 1 Link 2 Link 3 Link 4 Link 5 Link 6
Comment: The Select Committee alleges that the CSC is a “CCP-managed technology transfer effort that exploits US institutions and directly supports China's military and scientific growth”. Credible reporting has demonstrated that intellectual property theft at HEIs is a key strategy used by the Chinese government to accelerate its technological and military development [LINK, LINK, LINK]. Institutions that maintain ties with high-risk entities face significant financial and reputational risks. This includes the real and immediate loss of partnerships and funding, which previous case studies have demonstrated.
Kyiv Technical University - 09/07/2025 - Ukraine - Hybrid
Event: On 9 July 2025, the counterintelligence division of Ukraine's Security Service detained two Chinese citizens in Kyiv who allegedly attempted to export sensitive intelligence about Ukraine's Neptune missile system to China. One of the Chinese citizens is a former student at Kyiv Technical University who remained in Kyiv despite being expelled from the university in 2023. Link 1 Link 2 Link 3
Comment: The R-360 ‘Neptune’ cruise missile has emerged as a strategic asset for Ukraine over the course of the war, playing a pivotal role in the destruction of the Russian Black Sea Fleet flagship guided missile cruiser Moskva in 2022. The system is very likely to be a high intelligence collection priority for Russia and China. Notably, Russia has previously attempted to disrupt the Neptune programme by leveraging a malicious insider in the Ukrainian army to organise a kinetic strike on the programme's facilities [LINK]. This incident highlights the broader intelligence threat posed by individuals who can be recruited by adversarial states, including students. Chinese students, in particular, present an elevated risk due to China's strategic use of non-traditional collection, which often involves coercing students studying abroad to obtain technological and military intelligence. While it is unclear whether Kyiv Technical University is directly involved in the Neptune missile programme, it is likely that the Chinese national who was a former student at Kyiv technical university leveraged their academic connection to facilitate the operation. The incident underlines the need for universities to implement robust personnel policies to monitor and assess high-risk individuals, especially those who continue to reside in the area after leaving the institution.
Nottingham Trent University- 11/07/2025 - UK - Cyber
Event: On 11 July 2025, Nottingham Trent University (NTU) reported a cyber incident which affected a number of its servers. The threat actor was reportedly able to access NTU’s Active Directory, which included names, NTU email addresses, mobile numbers, and hashed account passwords. In response to the incident, the university has reset the passwords on all NTU accounts. Link 1 Link 2
Comment: As of 28 July 2025, the threat actor's initial point of compromise into the university's network is unclear. Universities typically present a broad attack surface due to their extensive digital infrastructure, including numerous machines, servers, domains, and a high-volume of users such as staff, faculty, and researchers. This complexity is compounded by the lack of strong security cultures within HEIs, which can significantly undermine the effectiveness of technical cyber security controls.
University of Michigan- 15/07/2025 - US - Hybrid
Event: On 15 July, the US Department of Education opened an investigation into the University of Michigan following a security incident in which two Chinese researchers affiliated with the university smuggled biological materials into the US. Link 1 Link 2 Link 3
Comment: The Chinese researchers at the University of Michigan were charged on 3 June 2025 with smuggling the Fusarium graminearum fungus into the US. The fungus has the potential to be deployed as an agroterrorism weapon, causing significant crop damage and harm to humans and livestock. Chinese funders supported the Chinese scientists research into this pathogen. The University of Michigan is being investigated for its role in facilitating this event. Reports have indicated that the university had insufficient security policies to mitigate sabotage to its laboratories and national security threats from China [LINK]. The Department of Education has alleged that the university is being “incomplete, inaccurate and untimely” in its public disclosures around foreign funding sources. This incident is likely to have caused significant reputational damage to the university, with security-conscious partners likely to review funding and partnerships. The incident highlights the need for HEIs to maintain holistic and robust security strategies that mitigate new, evolving hybrid threats.
Ravenshaw University - 28/07/2025 - India - Cyber
Event: On 28 July 2025, the website of Ravenshaw University in India was compromised. The threat actors infiltrated the website and attempted to redirect the traffic to a foreign betting platform. No damage or stolen data was reported and the university's technical team quickly restored the website. Link 1 Link 2 Link 3
Comment: The attempt to redirect traffic towards a foreign betting platform suggests the involvement of external threat actors. Previous cyber incidents targeting Indian HEIs have often been conducted by Pakistan-aligned threat actors who have defaced HEI websites with politically motivated messages. This is not the first cyber incident affecting Ravenshaw University; a similar attack incident occurred in 2023. These recurring incidents underscore the persistent targeting of HEIs, driven by a range of motivations. It also highlights the ongoing challenges these institutions face in implementing effective cyber resilience measures.
Security briefs
Analysis and assessment of ongoing security issues
Danish universities increase vetting of foreign researchers
Description: Danish universities have increased security vetting of researchers from China, Russia, and Iran, amid concerns about espionage and intellectual property theft [LINK, LINK].
Assessment: Amid growing security concerns about espionage and intellectual property theft, universities in Denmark have increased security vetting for researchers from certain countries. Protocols involve assessing candidates’ backgrounds and affiliations with high-risk entities, evaluating their access to sensitive information, and determining their vulnerability to foreign influence [LINK]. Aarhus University has reportedly rejected 24 research applications in 2025 for security reasons [LINK]. Other institutions implementing similar measures include Copenhagen University, Roskilde University, and the University of Southern Denmark. HEIs are particularly vulnerable due to the prevalence of informal collaborations and visiting scholars, which often lack transparency and oversight [LINK]. The threat posed by covert, adversarial state influence and espionage to Western HEIs is significant, requiring holistic personnel security policies to mitigate security risks.
Oxford University Press stop publishing Chinese-sponsored science journal
Description: Oxford University Press (OUP) announced that it will no longer publish the Forensic Sciences Research (FSR) journal, a journal sponsored by an affiliate of China’s Ministry of Justice [LINK, LINK, LINK].
Assessment: FSR has received increasing ethical criticism after concerns about DNA collection from Uyghurs and other ethnic minorities in China under state surveillance [LINK]. Critics allege that DNA samples and research published in the journal may be used to facilitate the mass surveillance of ethnic minority groups in China. Notably, one author of a paper that used blood samples from 264 Uyghurs is affiliated with China’s state security agencies [LINK]. Although OUP did not specify why they discontinued the relationship, it is likely that it was based on reputational and legal concerns. In today’s volatile geopolitical landscape, partnerships that were once considered low-risk can rapidly become high-risk. This increases the likelihood that controversial journals like FSR could face future sanctions, posing serious legal and reputational consequences for HEIs that maintain links with them.
China refocuses Science and Technology Ecosystem
Description: A report by NSF Secure Analytics outlines how the Chinese government is restructuring its science and technology ecosystem in a manner that will heighten geostrategic conflict and research security risks [LINK, LINK].
Assessment: The report outlines that the Chinese government is moulding the science and technology ecosystem to align more closely with national security, ideological control, and strategic self-reliance. A new Central Science and Technology Commission has been established, while agencies like the Ministry of Science and Technology and the National Natural Science Foundation of China have altered mandates for greater oversight and political alignment [LINK]. The reforms are likely intended to centralise academic, industrial, and military research. As Western institutions collaborate with Chinese partners, the risk of dual-use technology transfer and intellectual property theft heightens as more Chinese institutions deepen state-military ties. Institutions should review security governance processes to ensure they address the growing risk posed by collaboration with Chinese and other high-risk entities.
Contact us
Secured is a UK-based organisation that provides strategic advisory services to organisations concerned about threats to the security of research, innovation, and investment.
Our security practitioners help entities secure their intellectual property, build operational and financial resilience, and cultivate a positive organisational security culture.
We provide research on the national security implications of emerging technologies as part of our scientific and technical intelligence assessment capability. Recent examples include:
Academic researchers exposed to US travel risk - assessment of the increasingly stringent US border practices and its impact on academic researchers travelling to the US.
Security risk from third-party meeting bots - a short article assessing the often overlooked security risks posed by third-party meeting bots intruding into online virtual meetings
Robustness of real-time deep fake technology - assessment of the security risks posed by evolving deep-fake technology and the requirement for more robust detection capabilities.
Stricter cyber incident reporting requirements - a short assessment of regulatory changes which are placing more pressure on organisations’ incident response plans.
Russian cyber intelligence campaign - strategic assessment of the Russian cyber intelligence campaign targeting logistics, tech companies, and supply chains supporting Ukraine.
The Zimmermann Telegram: A Century-Old Case Study for Strategic Communications - provides insight into how strategic communications, intelligence, and security intersect.
Beyond Baselines - highlights the necessity of security certifications that go beyond baseline measures.
Deception can enable private sector initiative - research article published in security and technology journal Binding Hook.
Securing project management organisations in giga-projects - outlines best practices for securing integrated project management organisations in large-scale capital projects.
Frontline of defence or Achilles’ heel - article that emphasises that underresourced and overworked IT and security personnel are often defensive vulnerabilities rather than assets.
North Korean malware assessment - strategic assessment of the North Korean Ferret malware family.
Five common pitfalls to avoid as an intelligence analyst - short article identifying best practices for open-source intelligence reporting.
Cyber incident at Dutch university - assessment of the cyber incident at TU Eindhoven.
How to quickly identify a good OSINT report - short article underlining best practices for writing open-source intelligence reporting.
US designation of major Chinese companies as military-linked - strategic assessment on the impact and outlook of the US’s designation of major Chinese companies as affiliated with the Chinese People’s Liberation Army.
Secured is part of Tyburn St Raphael Ltd, a boutique security consultancy.
