CMS retailer report, Aflac investigates activity, Russian dairy cyberattack - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines – Episode Summary Hosted by CISO Series | Release Date: June 23, 2025

In this episode of Cybersecurity Headlines, Steve Prentiss from the CISO Series delves into several significant cyber incidents impacting various industries globally. The episode covers attacks on major UK retailers, a security breach at Aflac, a severe cyberattack on Russian dairy producers, and more. Below is a detailed summary of the key discussions, insights, and conclusions presented in the episode.

1. UK Retailers Under Siege: Marks & Spencer and Co Op Attacks

[00:00] Steve Prentiss opens the episode by reporting on the coordinated cyberattacks targeting prominent British retailers, including Marks & Spencer and Co Op. The UK-based CY Monitoring Center (CMC) has classified these incidents as a single, combined cyber event due to the close timing and similar Techniques, Tactics, and Procedures (TTPs) employed by the attackers.

Classification and Impact:
- Category 2 Systemic Event: The CMC has designated the attacks as a Category 2 systemic event.
- Financial Impact: The financial repercussions are estimated between $363 million and $592 million.
- Similar Attack Vectors: Both attacks utilized social engineering tactics targeting IT help desks, indicating a coordinated effort by the threat actors.
Harrods Attack:
- While Harrods was also targeted, it has not yet been included in this assessment due to insufficient information. Further details are awaited to determine its linkage with the other attacks.

Notable Quote:

"We have labeled this a Category 2 systemic event with an anticipated financial impact of between $363 million and $592 million," — Steve Prentiss [00:00]

2. Aflac Investigates Suspicious Activity on U.S. Network

The report moves to Aflac, the largest provider of supplemental insurance in the United States, which has identified suspicious activity within its U.S. network.

Scope of the Breach:
- Data at Risk: Social Security numbers, claims information, customer health data, and Personally Identifiable Information (PII) of customers, beneficiaries, employees, and agents.
Attribution and Response:
- Cybercrime Campaign: The intrusion is attributed to an ongoing cybercrime campaign targeting the insurance sector.
- Containment: The breach was detected and halted within hours, limiting potential damage.
- Ongoing Investigation: A comprehensive review is underway to assess the full extent of the breach and implement further safeguards.

Notable Quote:

"The intrusion was stopped within hours," — Steve Prentiss [00:00]

3. Severe Cyberattack Disrupts Russian Dairy Industry

A critical cyberattack has struck Russia's dairy sector, affecting the Mercury platform, a component of the federal State Information System for veterinary surveillance and digital certification of animal-based products.

Impact on Operations:
- System Downtime: The Mercury platform was taken offline, marking the most severe attack compared to two previous incidents.
- Shift to Manual Processes: Producers and suppliers are compelled to revert to paper-based veterinary certificates, disrupting digital workflows.
Regulatory Implications:
- Legal Requirements: Russian law mandates that businesses handling meat, dairy, eggs, and other animal products must register with Mercury and issue electronic veterinary documents.
- Operational Barriers: Without electronic certification, processors cannot legally accept raw milk, jeopardizing product authenticity and safety verification.

Notable Quote:

"Without them, processors are legally barred from accepting raw milk as digital certification is required to verify product authenticity and safety," — Steve Prentiss [00:00]

4. Tonga's Ministry of Health Falls Victim to Ransomware Attack

The Ministry of Health in Tonga, a South Pacific island nation, has suffered a ransomware attack compromising its national Health Information System.

Details of the Attack:
- Discovery: The ransomware attack was detected on June 15.
- Affected Systems: The breach impacts the system responsible for recording and registering hospital patients, including medical records, prescriptions, health risks, and future treatment plans.
Response Efforts:
- International Assistance: Cybersecurity experts from Australia arrived on June 20 to aid the Tongan government in mitigating the attack and restoring affected systems.

Notable Quote:

"This includes medical records, prescriptions, health risks and future plans for patients," — Steve Prentiss [00:00]

5. Microsoft Investigates OneDrive File Search Bug

Microsoft is currently investigating a bug affecting OneDrive users across various platforms, including Windows, Android, iOS, and web.

Issue Description:
- Search Functionality: Users are experiencing blank search results or no results at all when searching for files in specific upload locations.
Current Status:
- No Workaround: As of now, there is no known solution for affected users.
- Timeline Uncertain: Microsoft has not provided an estimated timeframe for a fix, leaving users awaiting resolution.

Notable Quote:

"There is currently no known workaround for those affected and no estimated timeline for a fix," — Steve Prentiss [00:00]

6. Cloudflare Successfully Mitigates Record DDoS Attack

Cloudflare recently thwarted an unprecedented Distributed Denial-of-Service (DDoS) attack targeting a hosting provider.

Attack Details:
- Peak Traffic: The attack peaked at 7.3 terabits per second, surpassing the previous record by 12%.
- Source Diversity: Over 122,000 source IP addresses from 161 countries launched the attack, with significant contributions from Brazil, Vietnam, Taiwan, China, Indonesia, and Ukraine.
Mitigation Strategy:
- Magic Transit: Cloudflare employed its network layer protection service, Magic Transit, to absorb and neutralize the attack without human intervention, maintaining service continuity for the hosting provider.

Notable Quote:

"Cloudflare mitigated this attack without human intervention using a network layer protection service called Magic Transit," — Steve Prentiss [00:00]

7. Kwai Lin Ransomware Enhances Pressure Tactics with 'Call Lawyer' Feature

The Kwai Lin Ransomware as a Service (RaaS) group has introduced a new feature aimed at increasing ransom payments through legal intimidation.

New Feature Overview:
- 'Call Lawyer' Button: Affiliates can now engage a lawyer during ransomware negotiations, leveraging legal pressure to coerce victims into paying larger ransoms.
Strategic Advantage:
- Legal Threats: By involving legal counsel, ransomware operators exploit victims' desire to avoid protracted legal battles, thereby increasing the likelihood of compliance and higher payments.

Notable Quote:

"This feature allows an affiliate ransomware group to bring a lawyer into negotiations with the victims, taking advantage of the fact that many companies wish to avoid legal proceedings and will therefore more readily comply," — Steve Prentiss [00:00]

8. German Table Napkin Manufacturer Fasana Files for Insolvency After Ransomware Attack

Fasana, a table napkin manufacturer based in Stottzheim, Germany, has declared insolvency following a debilitating ransomware attack.

Incident Impact:
- Operational Paralysis: The May 19 attack rendered the company unable to print delivery notes, effectively halting business operations.
- Financial Losses: Fasana incurred millions of euros in lost business and recovery costs, leading to its financial downfall.
Current Status:
- Recovery Efforts: Although production has resumed, the financial damage was irreversible.
- Insolvency Proceedings: The company now has eight weeks to secure a buyer or face complete closure.

Notable Quote:

"Fasana... has filed for insolvency following a May 19 ransomware attack that left the company unable to print delivery notes, which subsequently paralyzed business operations," — Steve Prentiss [00:00]

Conclusion

This episode of Cybersecurity Headlines underscores the pervasive and evolving nature of cyber threats across diverse sectors and geographies. From large-scale financial losses in the retail and insurance industries to critical disruptions in healthcare and food safety systems, the ramifications of these attacks are profound and far-reaching. Additionally, the innovations in ransomware tactics, such as the Kwai Lin group's 'Call Lawyer' feature, highlight the increasing sophistication of cybercriminals.

Steve Prentiss emphasizes the critical need for robust cybersecurity measures, proactive threat monitoring, and swift response strategies to mitigate the impact of such incidents. As cyber threats continue to evolve, organizations must stay vigilant and adapt their security frameworks to protect sensitive data and maintain operational integrity.

For more detailed insights and daily updates on cybersecurity events, visit CISOseries.com.

Loading summary

Transcript1 lines

[00:00]
Steve Prentiss
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, June 23, 2025. I'm Steve Prentiss. CMC officially points finger at scattered spider for Marks and Spencer and Co Op Attacks following up on our coverage of the attacks on British retailers Marks, Spencer Co Op and Harrods, the UK based CY Monitoring center has now classified the attacks on Marks and Spencer and Co Op as a single combined cyber event. They attribute this appellation to the close timing and similar TTPs including social engineering attacks on IT help desks. They have labeled this a Category 2 systemic event with an anticipated financial impact of between 363 million and 592 million dollars. The Harrods attack has not yet been included in this assessment due to a current lack of adequate information. AFLAC investigating suspicious activity on its U.S. network, the largest provider of supplemental insurance in the United States, is announcing this discovery, warning of its potential impact on Social Security numbers, information on claims and customer health and PII related to customers, beneficiaries, employees, agents and other individuals in its US Business. The company attributes the attack to the ongoing cybercrime campaign against the insurance industry and points out that the intrusion was stopped within hours. Its review is of course currently ongoing. Russian Dairy producers suffer cyber Attack the attack impacted the mercury platform, part of Russia's federal State information system for veterinary surveillance and the country's digital system for certifying animal based products. It was taken offline earlier this week in what is being described as the most severe to date. Compared to two previous attacks, this has forced producers and suppliers to revert to paper based veterinary certificates. Under Russian law, all businesses handling meat, dairy, eggs and other animal products must register with mercury and issue veterinary documents electronically. Without them, processors are legally barred from accepting raw milk as digital certification is required to verify product authenticity and safety. End quote Tonga's Ministry of Health Suffers a Cyber Attack A ransomware attack has affected the national Health Information system of this South Pacific island nation. The attack, which was discovered on June 15, impacts the system used to record and register hospital patients. A spokesperson added that this includes medical records, prescriptions, health risks and future plans for patients. Cybersecurity experts from Australia arrived on Thursday to help the government resolve the issue. Huge thanks to our sponsor ThreatLocker. ThreatLocker is a global leader in zero trust endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and MITIGATE potential cyber vulnerabilities. To learn more and to start your free trial, visit threatlocker.com CISO that is T H R E A T L O C k-e r.com CISO Microsoft investigates OneDrive file search bug this issue causes searches within OneDrive to appear blank or return no results in location where files have been uploaded. The issue affects a subset of Windows, Android, iOS and web users, says Microsoft, adding that there is currently no known workaround for those affected and no estimated timeline for a fix. Cloudflare blocks record DDoS attack against hosting provider Cloudflare mitigated this attack on a hosting provider back in May. The peak of the attack was 7.3 terabits per second, which is 12% larger than the previous record. The attack used more than 122,000 source IP addresses spread across 161 countries, the majority based in Brazil, Vietnam, Taiwan, China, Indonesia and Ukraine. Cloudflare says it was able to mitigate the attack without human intervention using a network layer protection service called Magic Transit. Kwai Lin Ransomware adds call lawyer feature to pressure for larger ransoms in the face of increasing resistance and non cooperation from ransomware victims generally, the Kwalin Ransomware as a service group is now offering legal counsel for its affiliates to help them put more pressure on victims to pay up, according to Israeli cybersecurity company Cyber Reason. This new feature takes the form of a call Lawyer button on the affiliate panel. This feature allows an affiliate ransomware group to bring a lawyer into negotiations with the victims, taking advantage of the fact that many companies wish to avoid legal proceedings and will therefore more readily comply. German table napkin manufacturer closes due to ransomware A cautionary tale on the impact of ransomware Fasana, a company based in Stottzheim in Germany and which manufactures a range of table napkin products, has filed for insolvency following a May 19 ransomware attack that left the company unable to print delivery notes, which subsequently paralyzed business operations. No group has yet been publicly identified and production has since resumed. But this has not been enough to save the company, which lost millions of euros in lost business, plus the cost of recovery. They now have eight weeks to find a buyer. Be sure you are registered for this week's Super Cyber Friday event. All about hacking the internal politics of cybersecurity if you've ever been challenged by navigating the tricky waters of an organization to get the security mission done, you need to join us. We've got two seasoned CISOs joining us this Friday at 1pm Eastern talking for an hour on why just being right isn't enough when it comes to security decisions. To register, just simply head on over to the events page@cisoseries.com and if you have some thoughts on the news from today or about the show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.

Cyber Security Headlines – Episode Summary Hosted by CISO Series | Release Date: June 23, 2025

1. UK Retailers Under Siege: Marks & Spencer and Co Op Attacks

Classification and Impact:
- Category 2 Systemic Event: The CMC has designated the attacks as a Category 2 systemic event.
- Financial Impact: The financial repercussions are estimated between $363 million and $592 million.
- Similar Attack Vectors: Both attacks utilized social engineering tactics targeting IT help desks, indicating a coordinated effort by the threat actors.
Harrods Attack:
- While Harrods was also targeted, it has not yet been included in this assessment due to insufficient information. Further details are awaited to determine its linkage with the other attacks.

Notable Quote:

"We have labeled this a Category 2 systemic event with an anticipated financial impact of between $363 million and $592 million," — Steve Prentiss [00:00]

2. Aflac Investigates Suspicious Activity on U.S. Network

The report moves to Aflac, the largest provider of supplemental insurance in the United States, which has identified suspicious activity within its U.S. network.

Scope of the Breach:
- Data at Risk: Social Security numbers, claims information, customer health data, and Personally Identifiable Information (PII) of customers, beneficiaries, employees, and agents.
Attribution and Response:
- Cybercrime Campaign: The intrusion is attributed to an ongoing cybercrime campaign targeting the insurance sector.
- Containment: The breach was detected and halted within hours, limiting potential damage.
- Ongoing Investigation: A comprehensive review is underway to assess the full extent of the breach and implement further safeguards.

Notable Quote:

"The intrusion was stopped within hours," — Steve Prentiss [00:00]

3. Severe Cyberattack Disrupts Russian Dairy Industry

Impact on Operations:
- System Downtime: The Mercury platform was taken offline, marking the most severe attack compared to two previous incidents.
- Shift to Manual Processes: Producers and suppliers are compelled to revert to paper-based veterinary certificates, disrupting digital workflows.
Regulatory Implications:
- Legal Requirements: Russian law mandates that businesses handling meat, dairy, eggs, and other animal products must register with Mercury and issue electronic veterinary documents.
- Operational Barriers: Without electronic certification, processors cannot legally accept raw milk, jeopardizing product authenticity and safety verification.

Notable Quote:

"Without them, processors are legally barred from accepting raw milk as digital certification is required to verify product authenticity and safety," — Steve Prentiss [00:00]

4. Tonga's Ministry of Health Falls Victim to Ransomware Attack

The Ministry of Health in Tonga, a South Pacific island nation, has suffered a ransomware attack compromising its national Health Information System.

Details of the Attack:
- Discovery: The ransomware attack was detected on June 15.
- Affected Systems: The breach impacts the system responsible for recording and registering hospital patients, including medical records, prescriptions, health risks, and future treatment plans.
Response Efforts:
- International Assistance: Cybersecurity experts from Australia arrived on June 20 to aid the Tongan government in mitigating the attack and restoring affected systems.

Notable Quote:

"This includes medical records, prescriptions, health risks and future plans for patients," — Steve Prentiss [00:00]

5. Microsoft Investigates OneDrive File Search Bug

Microsoft is currently investigating a bug affecting OneDrive users across various platforms, including Windows, Android, iOS, and web.

Issue Description:
- Search Functionality: Users are experiencing blank search results or no results at all when searching for files in specific upload locations.
Current Status:
- No Workaround: As of now, there is no known solution for affected users.
- Timeline Uncertain: Microsoft has not provided an estimated timeframe for a fix, leaving users awaiting resolution.

Notable Quote:

"There is currently no known workaround for those affected and no estimated timeline for a fix," — Steve Prentiss [00:00]

6. Cloudflare Successfully Mitigates Record DDoS Attack

Cloudflare recently thwarted an unprecedented Distributed Denial-of-Service (DDoS) attack targeting a hosting provider.

Attack Details:
- Peak Traffic: The attack peaked at 7.3 terabits per second, surpassing the previous record by 12%.
- Source Diversity: Over 122,000 source IP addresses from 161 countries launched the attack, with significant contributions from Brazil, Vietnam, Taiwan, China, Indonesia, and Ukraine.
Mitigation Strategy:
- Magic Transit: Cloudflare employed its network layer protection service, Magic Transit, to absorb and neutralize the attack without human intervention, maintaining service continuity for the hosting provider.

Notable Quote:

"Cloudflare mitigated this attack without human intervention using a network layer protection service called Magic Transit," — Steve Prentiss [00:00]

7. Kwai Lin Ransomware Enhances Pressure Tactics with 'Call Lawyer' Feature

The Kwai Lin Ransomware as a Service (RaaS) group has introduced a new feature aimed at increasing ransom payments through legal intimidation.

New Feature Overview:
- 'Call Lawyer' Button: Affiliates can now engage a lawyer during ransomware negotiations, leveraging legal pressure to coerce victims into paying larger ransoms.
Strategic Advantage:
- Legal Threats: By involving legal counsel, ransomware operators exploit victims' desire to avoid protracted legal battles, thereby increasing the likelihood of compliance and higher payments.

Notable Quote:

"This feature allows an affiliate ransomware group to bring a lawyer into negotiations with the victims, taking advantage of the fact that many companies wish to avoid legal proceedings and will therefore more readily comply," — Steve Prentiss [00:00]

8. German Table Napkin Manufacturer Fasana Files for Insolvency After Ransomware Attack

Fasana, a table napkin manufacturer based in Stottzheim, Germany, has declared insolvency following a debilitating ransomware attack.

Incident Impact:
- Operational Paralysis: The May 19 attack rendered the company unable to print delivery notes, effectively halting business operations.
- Financial Losses: Fasana incurred millions of euros in lost business and recovery costs, leading to its financial downfall.
Current Status:
- Recovery Efforts: Although production has resumed, the financial damage was irreversible.
- Insolvency Proceedings: The company now has eight weeks to secure a buyer or face complete closure.

Notable Quote:

"Fasana... has filed for insolvency following a May 19 ransomware attack that left the company unable to print delivery notes, which subsequently paralyzed business operations," — Steve Prentiss [00:00]

Conclusion

For more detailed insights and daily updates on cybersecurity events, visit CISOseries.com.