CyberWire Daily: "Kimsuky Gets Kim-Sunk" – August 12, 2025

N2K Networks’ CyberWire Daily delivers the latest in cybersecurity news and expert analysis. In this episode titled "Kimsuky Gets Kim-Sunk," host Dave Buettner covers a range of critical cybersecurity incidents, including data breaches, ransomware attacks, and vulnerabilities in emerging technologies. The episode also features an insightful interview with Sean Dube, Principal Technologist at Sempras, discussing the evolving landscape of ransomware.

1. Kimsuky Data Leak

Timestamp: [02:00]

Two hackers, known as Saber and Cyborg, publicly leaked 8.9 gigabytes of backend data from the North Korean state-sponsored hacking group Kimsuky. This leak, hosted on the Distributed Denial of Secrets platform, revealed crucial information including:

• Infrastructure Details: Phishing tools, malware, source code, and operational logs.
• Targeted Phishing Kits: Specifically aimed at South Korean government websites.
• Technical Artifacts: Cobalt Strike loaders, reverse shells, SSH logs, private certificates, and VPN purchase links.

Impact:

• Operational Disruption: Potential hindrance to Kimsuky’s espionage activities against South Korea and other global entities.
• Intelligence Value: Provides cybersecurity analysts with actionable data to bolster defenses and craft targeted countermeasures.

Expert Insight: "While the exposure may hinder ongoing operations, experts note long-term impact is uncertain," notes Buettner.

2. Ransomware Attack on Dutch Clinical Diagnostics Lab

Timestamp: [03:00]

The Dutch National Molecular Diagnostics Laboratories (NMDL) suffered a ransomware attack compromising personal and medical data of approximately 485,000 women involved in the national Cervical Cancer Screening Program. Key points include:

• Data Compromised: Names, addresses, medical test results, and historical records, some already available on the Dark Web.
• Response Delay: The lab took nearly five weeks to report the breach, exceeding the EU’s 72-hour notification requirement.
• Operational Impact: Population Screening Netherlands severed ties with NMDL, relocating testing to maintain program continuity.

3. Data Breach at Manpower

Timestamp: [05:00]

ManpowerGroup, one of the world’s largest staffing firms, is notifying over 144,000 individuals about a significant data breach that occurred between December 29, 2024, and January 12, 2025. Highlights include:

• Data Stolen: 500 gigabytes encompassing sensitive personal, corporate, and financial records, including passport scans and Social Security numbers.
• Ransom Hub’s Involvement: The ransomware group Ransom Hub claimed responsibility, later removing some data from their leak site, indicating possible ransom payments.
• Response Measures: ManpowerGroup has enhanced IT security, is collaborating with the FBI, and is offering free credit monitoring through Equifax.

Notable Quote: "Manpower says they've strengthened IT security, that they're working with the FBI and that they're offering free credit monitoring through Equifax." [05:45]

4. Interlock Ransomware Gang Attacks St. Paul, Minnesota

Timestamp: [06:30]

St. Paul confirmed that the Interlock ransomware gang was responsible for a cyber attack in July 2025, which disrupted city systems. Key details:

• Impact: City operations faced delays in online payments and services, although emergency services remained unaffected.
• Ransom Demand: Interlock claims to have stolen 66,000 files, leaking some online despite the city’s refusal to pay.
• Gang Profile: Active since 2024, Interlock focuses on global organizations, particularly in the healthcare sector, with prior breaches at DaVita and Kettering Health.

5. GPT-5 Jailbreak Reveals Security Flaws

Timestamp: [07:30]

Just 24 hours after the launch of OpenAI’s GPT-5, researchers at Tenable successfully bypassed its new Safe Completions safety system. The jailbreak involved:

• Methodology: A four-step crescendo approach where Tenable posed as a history student to gradually elicit harmful instructions.
• Outcome: Obtained detailed instructions for creating a Molotov cocktail.
• Concerns: Highlights significant security vulnerabilities in GPT-5, with other researchers also reporting similar issues.

Notable Quote: "Using a four step crescendo approach, Tenable posed as a history student, gradually steering the model toward providing dangerous instructions." [08:30]

OpenAI’s Response: The company is actively working on fixes but warns of potential risks if the model is used without adequate safeguards.

6. Pennsylvania Attorney General’s Office Cyber Incident

Timestamp: [08:00]

A severe cyber incident has rendered the Pennsylvania Attorney General’s office entirely offline, affecting:

• Systems Impacted: Website, email, and phone systems are non-operational.
• Current Status: Staff are limited to coordinating internally to minimize disruptions; the nature of the attack and data exposure details remain undisclosed.
• Response: Collaboration with law enforcement is underway to investigate and restore full functionality.

7. Financial Risk from Operational Technology (OT) Cyber Incidents

Timestamp: [09:00]

Dragos, in partnership with Marsh McLennan’s Cyber Risk Intelligence Center, released the 2025 OT Security Financial Risk Report. Key findings include:

• Global Exposure: Potential OT cyber risk exposure could reach $329.5 billion in extreme but plausible scenarios.
• Business Interruption: Accounts for up to 70% of the total financial impact.
• Top Risk Mitigation Controls:
  1. Incident Response Planning
  2. Defensible Architecture
  3. ICS Network Visibility and Monitoring

Expert Insight: The report offers a data-informed framework for executives and insurers to prioritize risk mitigation and justify investments in OT security.

8. Finnish Prosecutors Charge Russian Captain Over Subsea Cables Damage

Timestamp: [10:30]

Finnish authorities have charged the captain and two senior officers of the Russian-linked tanker Eagle S with aggravated criminal mischief and interference with communications. Details include:

• Incident: The ship allegedly dragged its anchor for 90 kilometers, damaging five critical subsea cables in the Baltic Sea.
• Financial Impact: Estimated repair costs exceed 60 million euros.
• Security Implications: Compromises Finland’s energy and telecom infrastructure.
• NATO’s Stance: Warns of increased sabotage threats in the Baltic region.
• Defense: The suspects deny the charges, citing jurisdictional issues.

9. Industry Voices: Sean Dube on the Global State of Ransomware

Timestamp: [12:00]

In the Industry Voices segment, Sean Dube, Principal Technologist at Sempras, discusses insights from the latest ransomware trends:

• Ransomware Success Rate: Despite a reported slight decrease, Dube emphasizes that it's "almost statistically insignificant" and cautions against complacency.

  Notable Quote: "It's human nature to say, yay, we're winning and we're doing a good job. But the reality is that easing off the throttle based on a modest trend in the direction you want to see, it's a mistake." [12:27]

• AI-Driven Attacks: AI tools are making ransomware attacks more sophisticated and easier to execute, lowering the barrier for threat actors.

  Notable Quote: "The tools, for example, AI, they're making attacks both easier and they're making them more sophisticated." [13:38]

• Focus on Identity Systems: Identity remains the central target for attackers, with systems like Microsoft Identity and Active Directory being particularly vulnerable.

  Notable Quote: "Identity isn't a security problem. Identity is the security problem." – Jen Easterly [15:47]

• Resilience Over Ransom Payments: Emphasizes the importance of building resilience to reduce the likelihood of paying ransoms.

  Notable Quote: "The more resilient you are, the less likely you are to pay a ransom to get your service back." [20:50]

• Recommendations:

  • Strengthen fundamental security principles.
  • Minimize attack surfaces, particularly in identity infrastructure.
  • Invest in incident response planning and defensible architectures.

10. DEF CON Report: Smart Buses Vulnerabilities

Timestamp: [24:00]

At DEF CON 2025, researchers Qao Lin Yu and Kai Xing Wang exposed critical vulnerabilities in Taiwan’s smart buses:

• Vulnerability Points:

  • Network Segmentation: Lack thereof allowed access from passenger Wi-Fi to driver assistance and transport management systems.
  • Default Passwords: Usage of easily guessable passwords like "password123".
  • Technical Flaws: Command injections, MQTT backdoors, and lack of encryption.

• Potential Exploits:

  • Surveillance: Tracking buses and spying via onboard cameras.
  • Data Falsification: Manipulating GPS data or dispatching false service outage signals.

Impact: These vulnerabilities could affect smart bus systems globally, posing significant risks to transportation infrastructure.

Researcher Observation: "The vulnerabilities Yu noted may not be confined to Taiwan. Bad news for any smart bus with global ambitions." [25:15]

Conclusion

This episode of CyberWire Daily underscores the persistent and evolving threats in the cybersecurity landscape. From state-sponsored attacks and ransomware incidents to vulnerabilities in AI and smart transportation systems, the need for robust security measures and resilient infrastructures is more critical than ever. Expert insights from Sean Dube highlight the importance of focusing on identity protection and foundational security principles to mitigate these threats effectively.

Stay informed and proactive in safeguarding your organization's digital assets by following the latest developments and best practices in cybersecurity.

For more detailed coverage of today’s stories, visit CyberWire Daily Briefing.

Produced by Alice Carruth, Liz Stokes, and the CyberWire team. Special thanks to guest Sean Dube and researchers Qao Lin Yu and Kai Xing Wang for their contributions.