CyberWire Daily – "Cyber shock to the oil trade."
Date: December 16, 2025
Host: Dave Bittner, N2K Networks
Featured Guest: Christiane Beek, Senior Director of Threat Intelligence & Analytics, Rapid7
Episode Overview
This episode dives into a surge of cyberattacks around the globe, with a particular focus on a ransomware strike targeting Venezuela's oil sector, global data breaches, and new trends in cybercrime and nation-state operations. The guest interview with Christiane Beek from Rapid7 explores how attack velocity is increasing, ransomware tactics are evolving, and threat actors — from criminal syndicates to nation-states — are collaborating and leveraging AI. The episode wraps with a look at a Pornhub data leak that underscores the persistent risks of third-party data retention.
Key News Stories & Insights
1. Venezuela's State Oil Company (PDVSA) Ransomware Attack
[03:00]
- PDVSA’s exports were halted following a ransomware attack, though the company claimed core production was unaffected.
- Blame was assigned to the U.S.; incident coincides with U.S.–Venezuela tensions and recent seizures of oil tankers.
- Staff were forced to use handwritten records; shipments suspended, with millions of barrels stranded offshore.
Quote:
“Oil production, refining and domestic distribution continued, but exports were hit, forcing staff to keep handwritten records and halting loading instructions.” – Dave Bittner [03:44]
2. Iranian Group Offers Cash Bounties for Doxing Israelis
[04:07]
- Iran-linked group ‘Handala’ announced cash rewards for personal data on Israeli defense engineers.
- Data was widely disseminated on Arab outlets and Telegram, but has not been independently verified.
- Part of a broader “Red Wanted” campaign targeting nearly 200 Israelis.
Quote:
“A $30,000 bounty was offered for information on some targets... the effort is part of Handala’s broader Red Wanted doxxing campaign.” – Dave Bittner [04:33]
3. German Parliament Suffers Major Email Outage Amid Diplomatic Event
[05:13]
- Germany’s lower house lost email access for over four hours, suspected to be a cyber attack.
- Incident coincided with sensitive US–Ukraine discussions; investigation ongoing.
4. Coupang (South Korea’s ‘Amazon’) Suffers Massive Data Breach
[05:48]
- Personal information of up to 34 million, over 90% of South Korea’s working-age population, leaked.
- Breach caused by a former developer retaining credentials after employment.
- Resulted in lawsuits, resignations, and calls for stricter penalties.
Quote:
“The leak… included names, phone numbers, and residential entry codes, but not credit card or government ID data.” – Dave Bittner [06:18]
5. Exploitation of Fortinet and FreePBX Vulnerabilities
[07:02]
- Active Fortinet authentication bypass vulnerabilities exploited since Dec 12; affects multiple products.
- Critical FreePBX VoIP platform vulnerabilities allow full system compromise; urgent patching advised.
6. 700 Credit Data Breach Impacts US Auto Industry
[08:18]
- Data of 5.8 million individuals exposed via a compromised third-party API.
- Includes names, SSNs, dates of birth; incident discovered in October.
7. Google Retires Dark Web Reporting Service
[09:06]
- The dark web monitoring tool will end in early 2026 due to limited actionable value; focus will shift to core security offerings.
8. European Police Dismantle Ukrainian Fraud Call Centers
[09:46]
- Fraud network with call centers across Ukraine scammed Europeans out of €10+ million.
- Seizures include vehicles, weapons, and computers; over 400 victims targeted.
9. Pornhub Data Exposed via Mixpanel Breach
[25:09]
- Exposed data includes premium user emails, search terms, and viewing history.
- Stolen by Shiny Hunters via a third-party analytics vendor breach, prompting privacy concerns.
Quote:
“Shiny Hunters is now extorting affected companies, raising awkward questions about why such intimate data was retained for years.” – Dave Bittner [25:39]
In-Depth Interview: Christiane Beek, Rapid7
[13:24–23:46]
Accelerating Exploitation and Attack Velocity
- Ransomware continues at unexpectedly high rates, with “almost 80 groups” active daily.
- Vulnerabilities (“end days”) are exploited in the wild within hours of public disclosure.
- Both cybercriminals and nation-state actors rapidly incorporate new exploits.
Quote:
“If a vulnerability is… made public, then it’s no longer a zero-day, but an end-day, [and is] being exported in the wild immediately… we hit at some point like 30 attacks an hour on our honeypots.”
– Christiane Beek [14:37]
Evolving Ransomware Tactics
- Shift from endpoint encryption to targeting virtualized environments and core data stores.
- Data exfiltration is now prioritized over device disruption.
Quote:
“First when they come in, they’re not so much interested anymore in the endpoint itself. It’s more like, ‘Hey, where do you stash your data?’ And let’s go after that.” – Christiane Beek [16:41]
New Sectors and Ransomware Group Alliances
- Construction sector emerged as a new ransomware target in Q3 2025.
- Healthcare remains heavily targeted.
- Group alliances are forming, with coordination on infrastructure and negotiations; observed between groups like Dragon Force and Scattered Spider.
- Law enforcement pressure results in group infighting and consolidation.
Memorable Note:
“There was this kind of… 'fitty'… it means like, yeah, you’re fighting each other, you’re doxing each other.” – Christiane Beek [18:07]
Nation-State Threat Actors: Stealth and Persistence
- Nation-states prioritize long-term persistence and intelligence gathering over quick, noisy attacks.
- Use of stealth backdoors — dormant implants activated by bespoke network packets.
Quote:
“We have seen some really stealthy backdoors… you have to know exactly, like they’re sleeping on the system… until they get like a specific command… that’s when they become alive.” – Christiane Beek [19:12]
AI and Professionalization of Cybercrime
- AI, mostly in the form of machine learning, is used to write and check code, create convincing phishing campaigns, and generate fake LinkedIn profiles (notably by DPRK IT workers).
- AI-generated materials make social engineering and impersonation significantly more believable.
Quote:
“Some of those [phishing] campaigns are so real hard to detect… They create fake profiles on LinkedIn where they leverage AI to create the images. All those kind of… allocations you need to put in a profile to make it really convincing…” – Christiane Beek [20:44]
Recommendations and Outlook
- Defenders must focus on fundamentals: understanding their attack surface, improving visibility, and covering detection gaps, especially at the network edge.
- Rapid patching is essential, but not always practical; layered detection is critical.
Quote:
“Sometimes we are doing a lot with technology… but sometimes it makes it so complex that we hardly understand anymore… where we need to look for this.” – Christiane Beek [21:41]
- Prediction: Supply chain attacks will increase in prominence in 2026; defenders must learn from 2025’s major incidents and adapt accordingly.
Notable Quotes & Memorable Moments
- “Almost 80 groups almost daily active trying to do ransomware operations.” – Christiane Beek [13:49]
- “If a vulnerability is actually made public… it’s being exported in the wild immediately.” – Christiane Beek [14:37]
- “They create fake profiles on LinkedIn where they leverage AI… to make it really convincing…” – Christiane Beek [20:44]
- “Shiny Hunters is now extorting affected companies, raising awkward questions about why such intimate data was retained for years.” – Dave Bittner [25:39]
Key Timestamps
- [03:00] Venezuela’s oil sector ransomware attack
- [04:07] Iranian ‘Handala’ doxxing bounties
- [05:13] German parliament email outages
- [05:48] Coupang breach: scope & fallout
- [07:02] Fortinet & FreePBX vulnerabilities exploited
- [08:18] 700 Credit auto industry data breach
- [09:06] Google’s dark web reporting shutdown
- [09:46] European call center fraud takedown
- [13:24–23:46] Guest interview – Christiane Beek, Rapid7
- [25:09] Pornhub/Mixpanel breach
Tone and Takeaway
The episode balances urgent investigative reporting with the steady, pragmatic tone of the CyberWire, emphasizing resilience and the need for cybersecurity fundamentals amid rapidly escalating threats and technical complexity. It closes on the lesson that no data, no matter how sensitive, is completely safe—especially when handled by third parties.
For links to today’s stories and the full research referenced, visit thecyberwire.com.
