DeepSeek changed the calculation. When the House Select Committee on China concluded in early 2025 that the Chinese AI company had trained its flagship model on restricted Nvidia AI chips that should never have reached it, Congress stopped treating chip smuggling as an enforcement failure and started treating it as a legislative emergency — one that arrived on the House Foreign Affairs Committee's desk, this week. The House Foreign Affairs Committee passed the Chip Security Act with bipartisan support on Thursday, advancing legislation to curb the smuggling of American semiconductors to foreign adversaries. The bill was introduced in May 2025 as a direct response to concerns raised by the Select Committee on China in its report on DeepSeek, which concluded the company used advanced Nvidia chips restricted from export to China to develop its AI model.

Here's What the AI Chip Security Act Is

The core mechanism the Chip Security Act puts forward is location verification — the requirement that advanced AI chips exported from the United States carry a technical security mechanism, whether implemented in software, firmware, or hardware, that continuously confirms where the device physically sits. The bill requires the Secretary of Commerce to mandate, within 180 days of enactment, that any covered integrated circuit product be outfitted with chip security mechanisms implementing location verification before it is exported, reexported, or transferred to a foreign country. Covered products include chips classified under Export Control Classification Numbers 3A090, 3A001.z, 4A090, and 4A003.z — the precise classifications that cover Nvidia's H100 and equivalent advanced AI accelerators. The bill also requires any person who received a license to export a covered chip to promptly report to the Under Secretary of Industry and Security if they obtain credible information that the product has been diverted to an unauthorized end-user or location. Mandatory reporting closes a gap that currently allows diversion to go unreported until investigators stumble across it independently — sometimes years after the fact. The bill arrives with enforcement urgency already established on its behalf. Earlier this week, the Justice Department charged three individuals for conspiring to smuggle billions of dollars' worth of advanced AI chips to China through Thailand.

Read: Three Individuals Charged for Trying to Smuggle ‘America-Made’ AI Tech Worth $170M

In November 2025, the DOJ had also indicted three Chinese nationals for smuggling high-tech chips through Thailand and Malaysia to China. Both cases used the trans-shipment model — routing restricted chips through a third country to obscure China as the final destination — demonstrating that existing export controls fail at the physical enforcement layer precisely where location verification would apply. The broader legislative push sits in deliberate tension with the Trump administration. The White House AI czar, David Sacks, in January retweeted criticism of the Chip Security Act, suggesting it handicaps Trump's ability to strategically position the U.S. favorably against China. House Foreign Affairs Committee Chairman Brian Mast pushed back directly, saying the talking points amplified by Sacks matched those he had heard from Nvidia. Nvidia CEO Jensen Huang has repeatedly argued to lawmakers that U.S. chip sales to China entrench American technology as the global standard — a position congressional China hawks view as commercially motivated reasoning that ignores military end-use risk. The Trump administration approved the export of higher-tier H200 chips to China in January 2026, walking back the previous administration's blanket restrictions. That decision prompted fierce backlash on Capitol Hill, where lawmakers have been seeking congressional control over export licensing — authority that currently belongs entirely to the Department of Commerce. The Chip Security Act represents Congress's attempt to build a verification infrastructure capable of surviving executive policy oscillations by embedding accountability into the hardware itself rather than relying solely on licensing decisions made at the administrative level. Industry groups including the Information Technology and Innovation Council have warned that a government chip-tracking mandate creates the impression of deepening U.S. government control over the American AI stack, potentially pushing countries that should be core customers toward alternative suppliers. Whether that concern outweighs the demonstrated reality of $170 million AI chip smuggling conspiracies routed through Southeast Asian shell companies is now a question for the full House floor.

The U.S.-based MedTech giant Stryker in an update shared late Thursday night confirmed that its supply chain has been impacted adversely with no timeline in place for a full restoration due to the cyberattack claimed by Iran-linked hacker collective - the Handala group. While Stryker maintained that the root of the global disruption is an intrusion in its Microsoft environment, it now added that the incident is contained to its "own internal systems" and not spilled over to its customers. "Our connected products are not impacted and are safe to use," the update said. Based on reports on several social media platforms, Handala allegedly used data wiper malware in this campaign, in accordance to its regular modus operandi. However, Stryker reiterated that no malware or ransomware was detected on its systems, as of now.

Also read: Who Is Handala — The Iran-Linked Ghost Group That Just Wiped 200K Stryker Devices

Even though Stryker claims negligible impact on its connected products, the MedTech firm admitted disruption to its supply chain.

"This incident has caused disruptions to order processing, manufacturing and shipping," Stryker said.

This is not the worrying part alone. The fact that there is no definitive timeline that Stryker foresees for its resumption, is. In an 8-K filing to the U.S. SEC, the company said:

"The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the Company’s information systems and business applications supporting aspects of the Company’s operations and corporate functions. While the Company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known."

The full scope of financial and material impact is yet to be determined too. Stryker added that although the timeline to get up and running is blurry at this point, it "has business continuity measures in place to continue to support its customers and partners."

CISA Joins Investigation

While the company responds and conducts its own assessment, CISA said it was following the due process of investigating the incident as well. “We are working shoulder-to-shoulder with our public- and private‑sector partners as we continue to uncover relevant information and provide technical assistance for the targeted attack on Stryker, while steadfastly standing at the ready to defend our nation’s critical infrastructure,” CISA acting director Nick Andersen told The Cyber Express. “As with all cyber incidents, we have launched an investigation into this matter.”

The Israel Connect of Stryker, The Real Reason?

And while the world calls this an attack on a U.S.-based company - a country that has supported Israel in the ongoing West Asia war - the actual reason could be debated. Why? Because half a decade ago Stryker acquired OrthoSpace, Ltd., a privately held company headquartered in Caesarea, Israel, in an all cash transaction. What does this imply? Not to jump to conclusions, but all the companies with trade and links to Israel may be carrying targets on their back. Updated March 14, 10:35 AM ET: For adding CISA acting director Nick Andersen's comments.

When Australia's cyber watchdog issued a fresh advisory on INC Ransom, security teams worldwide are bound to take note — not because INC is new, but because the group's business model has quietly made it one of 2025's most relentless forces targeting the very networks societies depend on to survive.

Australia's Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), published the advisory warning that INC Ransom's affiliate model now enables a broad range of threat actors to target critical infrastructure — from healthcare systems to government networks — with minimal technical skill of their own.

INC Ransom operates as a Ransomware-as-a-Service (RaaS) group. It is a criminal franchise model where core developers build and maintain the ransomware platform, then lease it to "affiliates" who carry out the actual attacks in exchange for a cut of the ransom. Think of it as a dark-web franchise. The brand, tools, and infrastructure belong to INC; the break-ins happen through hired hands.

As of mid-2025, more than 200 victims appeared on INC's data leak site, and in July 2025, INC ranked as the most deployed ransomware based on victim postings. That scale does not happen by accident. It reflects a deliberate expansion through affiliates who carry existing access and expertise from other groups.

Also read: Cyberattack on ControlNET: INC Ransom Group Claims Breach of Building Technology Provider

Prime Focus on Healthcare

Healthcare organizations bore the brunt of INC's activity between January and August 2025, with education, technology, and government entities also ranking among the top victim sectors.

"Since January 2025, the ACSC has observed INC Ransom affiliates target Australian Health Care sector entities using compromised accounts. Upon initial access, affiliates have conducted privilege escalation by creating admin level accounts and moving laterally within victim networks," the advisory said. In June, the Tongan Ministry of Health (MoH) ICT environment was attacked by a ransomware that impacted core services and disrupted the national health care network. ACSC said, this was also the work of INC ransomware group as was an attack on a healthcare sector entity further down south in New Zealand. "Many of the organisation’s servers and endpoint devices had been encrypted, and a large amount of data was stolen. INC Ransom claimed responsibility for this incident, and published the dataset on its DLS (data leak site)," ACSC confirmed.

Exploits Known Vulnerabilities

INC affiliates do not reinvent the wheel. They exploit known, unpatched vulnerabilities in widely deployed enterprise software. Documented entry points include CVE-2023-3519 in Citrix NetScaler — a remote code execution flaw patched in July 2023 — CVE-2023-48788, a SQL injection vulnerability in Fortinet Endpoint Management Server, and CVE-2024-57727, a SimpleHelp RMM path traversal flaw added to CISA's Known Exploited Vulnerabilities catalog in February 2025.

INC Ransom also used CitrixBleed (CVE-2023-4966), a vulnerability in Citrix NetScaler ADC and Gateway appliances that lets threat actors bypass multifactor authentication and hijack legitimate user sessions. In practical terms, an attacker does not need stolen credentials. They can walk through the front door using a session that already has authorization.

Once inside, INC affiliates follow a disciplined playbook. They archive data with 7-Zip before exfiltrating it via MegaSync, use AES encryption, and drop ransom notes printed directly to network printers. The group then applies double extortion — encrypting systems while threatening to publish stolen data publicly unless the victim pays.

In one high-profile case, INC Ransom claimed a breach of the Pennsylvania Office of the Attorney General in August 2025, stating it removed more than 5 terabytes of data and hinted at access to federal networks. The office refused to pay.

Also read: Ahold Delhaize USA Confirms Data Stolen in 2024 Cyberattack

The group's reach does not stop at U.S. borders. INC Ransom targeted Alder Hey Children's NHS Foundation Trust in the U.K., claiming to have obtained large-scale patient records, donor reports, and procurement data. This pattern of targeting public-sector healthcare — institutions with constrained security budgets and life-critical dependencies — reflects a calculated predatory strategy.

Microsoft Threat Intelligence tracks significant INC affiliate activity through a group it calls Vanilla Tempest, which adopted INC Ransom as its primary payload in August 2024 after previously using BlackCat, Quantum Locker, Zeppelin, and Rhysida. The fluidity between groups showcases a core feature of the RaaS model where affiliates shop for the most effective tools and swap them out when law enforcement pressure mounts.

Australia now mandates that organizations with annual turnover above $3 million, as well as critical infrastructure operators, report ransomware or extortion payments within 72 hours — a regulatory shift designed to erode the financial incentives that sustain groups like INC.

The ACSC advisory recommends network defenders prioritize patching of internet-facing systems, implement phishing-resistant multifactor authentication, segment networks to limit lateral movement, and monitor for unusual use of legitimate administrative tools such as PowerShell and Remote Desktop Protocol (RDP).

Given that INC ransomware elements have also been linked to the development of Lynx ransomware — a derivative group — the threat footprint extends well beyond INC's own branding. Defenders who neutralize INC today may face the same code under a different name tomorrow.