Risky Bulletin: China privately admits to hacking US

Risky Bulletin: China Privately Admits to Hacking US
Hosted by Claire Aird | Released on April 14, 2025

Introduction

In this episode of Risky Bulletin, host Claire Aird delves into the latest cybersecurity developments, highlighting significant breaches, geopolitical cyber tensions, and emerging threats. The episode provides an in-depth analysis of China's covert admission of hacking US infrastructure, the US's stance on international spyware agreements, and a series of other notable cyber incidents impacting various sectors globally.

China's Private Admission to Hacking US Critical Infrastructure

China has clandestinely acknowledged to American officials its involvement in hacking US critical infrastructure, marking a rare and significant admission in the realm of international cybersecurity.

• Vault Typhoon Operation:
  Detected in mid-2023, China's APT group, known as Vault Typhoon, has strategically embedded itself within the computer networks of key US infrastructures, including ports, airports, and water utilities. According to The Wall Street Journal, this admission was made during a secret December meeting between Chinese and US officials. The hackers justified their actions as a response to US support for Taiwan.

• U.S. Treasury Breach:
  In a recent attack on the U.S. Treasury, hackers employed password spraying techniques to compromise a privileged account. Bloomberg sources revealed that the account was inadvertently left enabled without multi-factor authentication during the agency's migration to Asia. Claire Aird notes, "The Office of the Comptroller of the Currency was hacked in June 2023, with the breach going undetected until CISA identified it in January this year" [07:45].

• Email Interception:
  The compromised account allowed attackers to intercept emails of over 100 employees, raising concerns about the depth and potential implications of the breach.

US to Sign Global Spyware Agreement

In a strategic move to combat the spread of commercial spyware, the US government has committed to signing the Paul Maul Process, a voluntary international agreement aimed at establishing a code of practice for companies involved in the sale of spyware and surveillance tools.

• International Participation:
  Claire highlights, "The US was noticeably absent from the list of 21 countries that signed the agreement in Paris last week, making this a pivotal decision for global cooperation against cyber surveillance" [12:30].

• Code of Practice:
  The agreement seeks to regulate the ethical standards of spyware vendors, ensuring that such tools are not misused for malicious purposes or unauthorized surveillance.

Russian Hacktivists Target Finnish Elections

In the lead-up to Finland's local elections, Russian hacktivists launched Distributed Denial of Service (DDoS) attacks targeting political party websites.

• Election Disruption Attempts:
  The attacks, occurring over the weekend, aimed to overwhelm election-related websites. However, Finland's cybersecurity agency assured that "the attacks will not affect the election as they use pen and paper" [16:50], highlighting the country's robust contingency measures.

Ransomware Attack on IKEA’s Eastern European Operations

IKEA's Eastern European branch suffered a significant ransomware attack in November 2024, resulting in a loss of 20 million euros in potential sales.

• Supply Chain Impact:
  The timing of the attack coincided with the high-demand Black Friday period, causing supply chain disruptions that persisted for four months. Claire elaborates, "Some stores experienced severe supply chain issues, underscoring the far-reaching consequences of such cyberattacks on global retail operations" [21:10].

UnitedHealth Pressures Doctors Over Loan Repayments Post-Hack

Following a ransomware incident that crippled its Change Healthcare payments service, UnitedHealth is reportedly pressuring medical practices to repay previously offered interest-free loans.

• Loan Repayment Pressure:
  According to CNBC, certain practices were instructed to repay loans amounting to hundreds of thousands of dollars within days. Claire comments, "This move has raised ethical concerns about the company's handling of the aftermath of the cyberattack" [25:00].

• Impact on Healthcare Practices:
  Many healthcare providers were forced to take loans to manage expenses due to their inability to process transactions during the system downtime.

Cybercrime Crackdowns in the Philippines and China

Philippines: Arrests for SMS Text Blasters

• Operation in Tarlac:
  Philippine authorities arrested a 28-year-old man involved in selling SMS text blasters, devices designed to send spam messages to nearby mobile devices. Sixteen devices were seized during the late March operation in Tarlac [28:20].

China: Fraud Ring Disruptions

• Detention of Suspected Members:
  Chinese authorities detained 48 individuals suspected of being part of a fraud syndicate in Puer, near the Chinese-Laos-Myanmar borders. Of these, 25 were identified as orchestrators, while the remaining claimed victim status [30:15].

Fortinet Issues Critical Firmware Update

Fortinet has urged its customers to update their Fortigate devices promptly to address a newly discovered persistence technique exploited by attackers.

• Persistence Technique Explained:
  Attackers were creating symbolic links (symlinks) connecting publicly accessible folders from the device's web dashboard to the root directory. This loophole allowed them to retrieve configuration files and regain access after initial eviction.

• Action Required:
  Claire advises, "Users must install the latest firmware to protect their devices from these sophisticated attacks" [33:40].

Chinese APT Groups Exploiting Windows Sandbox

A Chinese cyber espionage group, associated with Mirrorface and APT10, has been leveraging the Windows Sandbox virtual environment to conceal its malware operations.

• Evasion Tactics:
  By executing malware within Windows Sandbox, the group effectively bypasses detection from Windows Defender and other security solutions. This method allows the malware to remain undetected while performing malicious activities [36:00].

Malicious Chrome Extensions on Google Web Store

Security firms have identified 35 malicious Chrome extensions infiltrating the Google Web Store, utilizing broad permissions to harvest data and execute remotely retrieved code.

• Scale of the Threat:
  Discovered by Secure and 10X, these extensions amassed approximately 4 million installations despite being marked as private and unlisted. This pattern indicates their deployment as part of a larger, coordinated campaign [39:25].

Security Firms Enhance Cybercrime Monitoring

Prodaft's Strategic Account Purchases

• Underground Forum Infiltration:
  Security firm Prodaft is acquiring verified accounts on prominent underground hacking forums such as XSS Exploit, ramp4u verified, and breach forums. Their strategy includes purchasing accounts with moderator or admin access and those capable of remote code execution to gain deeper insights into cybercriminal operations [42:10].

• Objective:
  By enhancing their visibility within these forums, Prodaft aims to better understand and mitigate emerging cyber threats [44:00].

Unpatched Vulnerabilities in Kallax GigaCentre Home Internet Routers

A critical vulnerability in Kallax GigaCentre routers remains unaddressed as the manufacturer, Calix, has declared the affected devices end-of-life.

• Vulnerability Details:
  The flaw involves an unauthenticated admin command prompt on the device's carrier management port, posing significant security risks.

• Vendor Response:
  Emily Aird states, "Despite SSD Disclosure's efforts to notify Calix, the reliance on a third-party developer and the device's end-of-life status have stalled any patch deployment" [47:50].

Conclusion

This episode of Risky Bulletin underscores the intricate and escalating landscape of global cybersecurity threats. From state-sponsored hacking and ransomware attacks to vulnerabilities in widely-used hardware and deceptive software practices, the need for robust security measures and international cooperation has never been more critical. Claire Aird effectively highlights the multifaceted challenges organizations and governments face in safeguarding digital infrastructure against sophisticated adversaries.

Notable Quotes:

• "The Office of the Comptroller of the Currency was hacked in June 2023, with the breach going undetected until CISA identified it in January this year." — Claire Aird [07:45]

• "The US was noticeably absent from the list of 21 countries that signed the agreement in Paris last week, making this a pivotal decision for global cooperation against cyber surveillance." — Claire Aird [12:30]

• "The attacks will not affect the election as they use pen and paper." — Finland's Cybersecurity Agency [16:50]

• "Some stores experienced severe supply chain issues, underscoring the far-reaching consequences of such cyberattacks on global retail operations." — Claire Aird [21:10]

• "This move has raised ethical concerns about the company's handling of the aftermath of the cyberattack." — Claire Aird [25:00]

• "Users must install the latest firmware to protect their devices from these sophisticated attacks." — Claire Aird [33:40]

This summary is based on the transcript provided and aims to encapsulate the key discussions and insights from the Risky Bulletin episode hosted by Claire Aird.