Ground control to Kremlin. - CyberWire Daily

Summary

CyberWire Daily: Ground Control to Kremlin – July 28, 2025

Hosted by N2K Networks, "CyberWire Daily" delivers the latest in cybersecurity news and analysis, featuring insights from industry leaders, academia, and research organizations worldwide. In the July 28, 2025 episode titled "Ground Control to Kremlin," host Dave Bittner delves into significant cyber incidents, legislative developments, and crucial discussions shaping the cybersecurity landscape.

1. Major Cyber Incidents and Data Breaches

a. Aeroflot’s Devastating Cyberattack

Russia's flagship airline, Aeroflot, faced a severe cyberattack on Monday, leading to the cancellation of over 50 flights and widespread delays, particularly affecting key domestic routes. While Aeroflot attributed the disruptions to a technical failure, pro-Ukrainian hacker groups Silent Crow and Belarusian cyber partisans claimed responsibility. They alleged that they had:

Destroyed the airline's IT infrastructure
Stolen flight data
Maintained network access for over a year

This breach resulted in Aeroflot's stock plunging by nearly 4%. Passengers at Moscow's Sheremetyevo Airport experienced significant inconveniences, including food shortages and requests to vacate terminals to manage crowding. The Kremlin acknowledged the breach, and prosecutors have initiated an investigation. This incident marks one of the most openly recognized cyberattacks within Russia, adding to the series of cyber and drone strikes associated with the ongoing conflict involving Ukraine.

b. Allianz Life’s Data Compromise

US-based insurance giant Allianz Life confirmed a cyberattack that compromised personal data of approximately 1.4 million customers. The breach occurred in mid-July when hackers exploited a third-party cloud-based CRM system through social engineering tactics. Key points include:

Affected Data: Personal information of the majority of US stakeholders, financial professionals, and some employees.
Response: Allianz Life notified the FBI and assured that no additional systems were breached.
Attribution: The company did not disclose the perpetrators or indicate whether a ransom demand was made.
Broader Context: This attack is part of a larger trend targeting the insurance sector, with Google researchers linking similar incidents to the Scattered Spider hacker group, known for exploiting help desk vulnerabilities.

c. Women’s Dating Safety App ‘T’ Faces Data Breach

The popular women's dating safety application, 'T', recently announced a data breach that exposed personal information and selfies of thousands of users. Details of the breach include:

Cause: An unsecured Firebase database allowed users from platforms like 4chan to access and post photos, including sensitive items like driver’s licenses and ID selfies.
Extent of Exposure: Over 72,000 images were exposed, with 13,000 user-submitted for verification purposes.
Additional Compromises: Some direct messages were also affected.
Company’s Stance: 'T' has contained the issue, with no evidence of current user data being compromised. Security experts have been engaged to investigate further.
Implications: This incident underscores ongoing concerns regarding data privacy and the security of platforms catering to vulnerable user groups.

d. NASCAR Data Breach Announcement

NASCAR has informed individuals that their personal data, including names and Social Security numbers, were stolen in a cyberattack discovered on April 3rd. Key aspects include:

Attack Timeline: Hackers accessed NASCAR's network from March 31 through April 3.
Response Measures: NASCAR launched an investigation, reported the breach to law enforcement, and is offering up to two years of free credit monitoring for affected individuals.
Ransom Demand: The Medusa ransomware group claimed responsibility, stating they stole 1 terabyte of data and demanded $4 million. However, NASCAR has not confirmed this claim.

e. Emergence of the Chaos Ransomware Group

Cisco Talos has identified the newly surfaced Chaos Ransomware group as a potential rebranding of the notorious Black Suit gang, itself a successor to Royal Ransomware. Indicators of similarity include:

Encryption Techniques: Both groups use comparable methods to encrypt data.
Ransom Notes: Structure and content bear striking resemblances.
System Tools: Utilization of built-in system tools for attacks parallels.

In parallel developments, law enforcement agencies from the US, UK, Germany, and other nations seized Black Suit's Tor-based leak site as part of Operation Checkmate. Since early 2023, Black Suit had targeted over 200 victims and extorted more than $500 million, focusing on sectors like healthcare, education, IT, and government by encrypting systems and leveraging stolen data.

f. Vulnerabilities in WordPress Sites

Over 200,000 WordPress websites remain susceptible to account takeover attacks due to an unpatched vulnerability in the Post plugin (versions up to 3.2.0). The flaw arises from weak access controls in the plugin’s REST API, enabling low-level users to:

Access Email Logs: Potentially reset and hijack administrator accounts.

Although a fix was released on June 11, adoption has been slow, with less than half of the affected sites updating to the latest version, leaving many at risk.

2. Legislative Developments Impacting Cybersecurity

a. Stop AI Price Gouging and Wage Fixing Act

Democrats Greg Cassar and Rashida Tlaib introduced the Stop AI Price Gouging and Wage Fixing Act, aiming to prohibit corporations from utilizing AI surveillance to adjust prices or wages based on personal data. Key elements include:

Context: The bill responds to practices like Delta Airlines' AI-driven dynamic pricing, which currently affects 3% of fares with plans for expansion.
Criticism: Such AI practices often exploit consumer data, adjusting prices or wages without transparency.
Regulatory Framework: The Federal Trade Commission (FTC) has observed instances of surveillance pricing, using data points like device type, location, and shopping history.
Empowerment: The legislation seeks to empower the FTC, states, and private citizens to combat these tactics.
Political Landscape: Facing slim chances of passage due to Republican control of Congress, despite rising public concerns over AI-driven price manipulation.

b. Multi-State Initiative to Regulate Data Brokers

Following the tragic June shooting of a Minnesota lawmaker and her husband, sparked by the perpetrator obtaining data from broker sites, Vermont State Representative Monique Priestley is spearheading a multi-state initiative to regulate data brokers. Highlights include:

Virtual Collaboration: Priestley convened a meeting with lawmakers from over 25 states, with 15 expressing immediate interest in legislation.
Proposed Measures:
- Data Broker Registries: Creating official registries for data brokers.
- Mass Data Deletion: Enabling large-scale deletion of personal data, inspired by California’s Delete Act.
- Protections for Public Officials: Modeled after New Jersey’s Daniels Law, offering safeguards for public figures.
Industry Resistance: Despite lobbying efforts and skepticism regarding the feasibility of regulation, Priestley emphasizes the growing momentum and necessity for coordinated state-level actions to enhance data transparency and protect individuals from unregulated data brokerage.

3. The Impending Expiration of the Cybersecurity Information Sharing Act (CISA 2015)

In an insightful discussion, co-host Ben Yellen from the University of Maryland's Center for Cyber Health and Hazard Strategies addresses the looming expiration of CISA 2015, a pivotal cybersecurity law.

Key Points from the Discussion:

Importance of CISA 2015: Described as the most successful cyber legislation in the U.S., CISA 2015 facilitates voluntary information sharing between the government and the private sector, enabling real-time collaboration against evolving cyber threats.

“The law remains one of the most effective methods for enabling real-time collaboration between the government and the private sector in the face of evolving cyber threats,” says Ben Yellen (13:57).
Bipartisan Support and Challenges: While the legislation enjoys bipartisan support, procedural hurdles threaten its reauthorization. The recent resignation of the House Homeland Security Committee chair and the appointment of a new chair who may not prioritize the bill add uncertainty to its future.
Senate Dynamics: In the Senate, bipartisan backing persists with advocacy from both committee chairs and ranking members. However, Senator Rand Paul’s opposition poses a significant obstacle due to his consistent stance against what he perceives as federal overreach in data governance.

“Senator Rand Paul opposed the CISA 2015 act when it was first enacted... he doesn't believe that this is a proper function of the federal government,” explains Yellen ([19:09]).
Potential Consequences of Non-Extension:
- Loss of Information-Sharing Platform: The lapse of CISA 2015 would dismantle a crucial tool for cybersecurity defense, hindering the ability to share threat intelligence effectively.
“To let it lapse would just be unfortunate... it's a loss of a really important tool that we have to protect ourselves against cyber threats,” emphasizes John Miller (17:05), Senior Vice President at the Information Technology Industry Council.
- Impact on Cybersecurity Efforts: Private sector leaders like James Hayes from Tenable acknowledge that without CISA 2015, real-time collaboration capabilities would be severely diminished, exacerbating the nation’s vulnerability to cyber threats.
Procedural Avenues for Reauthorization: Despite Senator Paul’s opposition, there are procedural methods, such as discharging the bill from committee with sufficient Senate support, to move forward with reauthorization. However, such moves require unanimous consent, making them challenging to achieve.

Conclusion of the Discussion:

The potential expiration of CISA 2015 represents a critical juncture for U.S. cybersecurity infrastructure. The bill's renewal is not just a legislative formality but a strategic necessity to sustain effective cyber defense mechanisms. As Yellen underscores, the continued effectiveness of national cybersecurity efforts heavily relies on the reauthorization of laws like CISA 2015.

4. Correction and Accountability in Cybersecurity Reporting

In a commendable display of integrity, Expel, a cybersecurity research firm, issued a heartfelt correction regarding a recent blog post about a phishing incident. Initially, Expel had asserted that an attacker bypassed a FIDO passkey-protected login via cross-device authentication. However, upon engaging with the security community and thoroughly reanalyzing the incident, they clarified that:

Actual Incident: While credentials were indeed phished, the attacker did not bypass multi-factor authentication (MFA) or access any protected resources.

“After reanalyzing the evidence, Expel confirmed that while credentials were phished, the attacker never bypassed MFA or accessed protected resources,” the company stated in their correction.
Commitment to Transparency: Expel praised the security community's role in identifying the error and reiterated their dedication to enhancing review processes to prevent future inaccuracies.

“We commend Expel for owning the mistake, openly explaining the error and updating their review processes,” highlighted Dave Bittner.
Impact: This incident underscores the importance of accountability and transparency within the cybersecurity sector, reinforcing trust among stakeholders and the broader community.

Conclusion

The "Ground Control to Kremlin" episode of CyberWire Daily encapsulates a critical period in cybersecurity, marked by significant breaches impacting major organizations across sectors, evolving ransomware threats, and pivotal legislative battles shaping the future of data privacy and information sharing. The discussions, particularly surrounding the potential lapse of CISA 2015, highlight the delicate balance between federal oversight and private sector collaboration in safeguarding digital infrastructures. Additionally, the emphasis on accountability through Expel's correction serves as a reminder of the continuous need for integrity within the cybersecurity community.

For those seeking to stay informed on these developments, CyberWire Daily provides a comprehensive and insightful analysis, ensuring that listeners are well-equipped to navigate the ever-changing cyber landscape.

For more detailed insights and updates, visit CyberWire Daily's daily briefing or subscribe to their Grumpy Old Geeks podcast.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire network, powered by N2K. Bad actors don't break in, they log in. Attackers use stolen credentials in nearly nine out of 10 data breaches. Once inside, they're after one thing your data. Varonis AI powered data security platform secures your data at scale across las SaaS and hybrid cloud environments. Join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment@varonis.com Russia's flagship airline suffers a major cyber attack US and insurance giant Allianz Life confirms the compromise of personal data belonging to most of its 1.4 million customers. A women's dating safety app spills the tea. NASCAR confirms a data breach. Researchers believe the newly emerged Chaos Ransomware group may be a rebrand of black suit. Over 200,000 WordPress sites remain vulnerable to account takeover attacks. Lawmakers introduced legislation to stop AI price gouging and wage fixing. States band together to regulate data brokers. My caveat Co host Ben Yellen explains the impending expiration of the Cybersecurity and Information Sharing act and expel Missed the mark, but nails the apology. It's Monday, July 28th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Foreign thanks for joining us. It is great to have you with us here today. Russia's flagship airline Aeroflot, suffered a major cyber attack Monday, causing over 50 flight cancellations and widespread delays, especially on key domestic routes. The airline blamed a technical failure, but pro Ukrainian hackers Silent Crow and the Belarusian cyber partisans claimed responsibility. They say they destroyed Aeroflot's IT infrastructure, stole flight data and maintained network access for over a year. Disruptions also hit subsidiaries and Aeroflot's stock dropped nearly 4%. At Moscow's Sheremetyevo Airport, stranded passengers were given food and asked to leave terminals to reduce crowding. The Kremlin confirmed the breach and prosecutors have opened a case. This is among the most publicly acknowledged cyberattacks in Russia, adding to recent cyber and drone strikes linked to Ukraine's war effort. US Insurance giant Alliance Life has confirmed a mid July cyberattack that compromised personal data belonging to Most of its 1.4 million customers, financial professionals and some employees. Hackers accessed a third party cloud based CRM system using social engineering, the company said in a filing with Maine's attorney General. While Allianz Life didn't share how many individuals were affected, it acknowledged the breach impacted the majority of its US Stakeholders. The company notified the FBI and said there's no evidence other systems were compromised. It declined to name the attackers or confirm if a ransom demand was received. This breach is part of a broader wave of cyber attacks hitting the insurance sector. Google researchers recently linked several incidents to Scattered Spider, the hacker group known for exploiting help desk vulnerabilities. The women's dating safety app T, which recently topped the App Store, confirmed a data breach that exposed personal data and selfies of thousands of users. The breach stemmed from an unsecured Firebase database allowing 4chan users to access and post photos, including driver's licenses and ID selfies. T says the exposed data, dating back two years, included 72,000 images, 13,000 of which were user submitted for verification. The company acknowledged some direct messages were also compromised. The data was originally retained to comply with anti cyberbullying laws. T claims the issue is now contained with no evidence current user data is affected. Security experts have been brought in to investigate. The breach highlights ongoing concerns over data privacy and platform security in apps targeting vulnerable user groups. NASCAR is notifying individuals that their personal data, including names and Social Security numbers, was stolen in a cyber attack discovered on April 3rd of this year. Hackers had access to ITS network from March 31 through April 3. NASCAR launched an investigation, informed law enforcement and is offering up to two years of free credit monitoring while the number of affected individuals remains undisclosed. The Medusa ransomware group claims it stole 1 terabyte of data and demanded $4 million. NASCAR hasn't confirmed this claim. Cisco Talos believes the newly emerged Chaos Ransomware group may be a rebrand of Black Suit, itself, a successor to Royal Ransomware. Talos cites similar encryption techniques, ransom note structure and use of built in system tools in both Chaos and Black Suit attacks. Just as Talos released its analysis, law enforcement seized Black Suit's Tor based leak site as part of Operation Checkmate, a global effort involving the US, UK, Germany and others. Blacksuit had listed around 200 victims by July of this year and had extorted over $500 million since 2023. The gang targeted sectors like healthcare, education, IT and government, encrypting Windows and Linux systems and leveraging stolen data for extortion. Royal Ransomware, which Black Suit succeeded, had hit more than 350 organizations by late 2023. Over 200,000 WordPress websites remain vulnerable due to an unpatched version of the Post plugin exposing them to account takeover attacks. The flaw affects versions up to 3.2.0 and stems from weak access controls in the plugin's REST API, allowing low level users to access email logs. Hackers could exploit this to reset and hijack administrator accounts. A fix was issued in the latest version on June 11, but less than half of users have updated, leaving many sites at risk. Representatives Greg Cassar and Rashida Tlaib, both Democrats, have introduced the Stop AI Price Gouging and Wage Fixing act, aimed to ban corporations from using AI surveillance to set prices or wages based on personal data. The bill follows Delta Air lines rollout of AI driven dynamic pricing affecting 3% of fares with plans to scale up. Critics argue such practices exploit private consumer data to charge more or lower pay, often without transparency. The Federal Trade Commission has reported that surveillance pricing is already happening with companies using data like device type, location and shopping history to adjust prices. The bill would empower the ftc, states and private citizens to act against these tactics. However, with Republican control of Congress, the legislation faces slim odds of passing despite growing public concern over AI driven price manipulation. Vermont State Representative Monique Priestley is leading a multi state initiative to regulate data brokers. Following the fatal June shooting of a Minnesota lawmaker and her husband. The suspected gunman reportedly had a list of data broker sites. Priestley, a longtime advocate for data privacy, convened a virtual meeting with lawmakers from over 25 states where 15 expressed immediate interest in legislation. The group discussed three main creating data broker registries, enabling mass deletion of personal data like California's Delete act and offering protections for public officials modeled after New Jersey's Daniels law. Lawmakers shared personal safety concerns and were alarmed by how easily personal information can be bought online. Despite industry lobbying and skepticism about whether it's too late, Priestley says the momentum is real. Her working group will continue sharing resources and drafting coordinated state level legislation to improve data transparency and protect individuals from unchecked data brokerage practices. Coming up after the break, Ben Yellen explains the impending expiration of the Cybersecurity and Information Sharing act and expel missed the mark but nails the apology Stick around. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A N T a dot com CYBER hey everybody, Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Delete Me team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now our listeners get a special deal. 20% off your DeleteMe plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. And it is always my pleasure to welcome back to the show Ben Yellen. He is from the University of Maryland center for Cyber Health and Hazard Strategies. Ben, welcome back.