Risky Bulletin: France says Russia's influence operations are achieving results - Risky Bulletin

Summary8 min read

Risky Bulletin: France Says Russia's Influence Operations Are Achieving Results

Release Date: May 9, 2025
Host: Claire Aird
Prepared by: Catalyn Kimparnu

1. Russian Influence Operations in Europe

Overview:
France and other European nations are increasingly vulnerable to Russian disinformation campaigns. The French disinformation agency Vigenoum released a report identifying sustained Russian influence operations impacting public discourse and electoral processes.

Key Points:

Storm 1516 Group: Active since 2023, this group has interfered in elections across France, Germany, and the United States. They are linked to Russia's GRU military intelligence service, Yevgeny Prigozhin's troll farms, and Russian philosopher Alexander Dug.
Impact on Elections: The group's activities aim to sow discord, influence voter behavior, and undermine trust in democratic institutions.

Notable Quote:
"Russian influence operations are achieving results," – Claire Aird [00:04]

2. U.S. Government Departments Cease Use of Telemessage

Overview:
Three unnamed U.S. government departments have instructed employees to discontinue using Telemessage, a messaging platform that logs Signal and WhatsApp conversations.

Key Points:

Security Concerns: The decision follows recent breaches where hackers exploited vulnerabilities in Telemessage.
Incident Trigger: The issue gained attention after Mike Waltz was photographed using Telemessage during a White House cabinet meeting.
Privacy Risks: Telemessage's ability to log encrypted communications raises significant privacy and security concerns for government operations.

Notable Quote:
"Telemessage allows organisations to log signal and WhatsApp conversations," – Claire Aird [00:04]

3. Ireland Advocates for Stricter EU Regulations on Financial Advertisers

Overview:
Irish officials are pushing for the European Union to enforce stricter checks on the legitimacy of financial advertisers to combat fraudulent advertisements on social media platforms.

Key Points:

Fraudulent Ads: The surge in deceptive financial advertisements has led to increased scams targeting EU citizens.
Proposed Measures: EU lawmakers are also considering mandates for payment services to automatically reimburse victims of fraud.
Objective: Strengthen consumer protection and ensure greater accountability among tech firms hosting financial ads.

Notable Quote:
"Ireland wants to counter the trend of fraudulent ads posted on social media," – Claire Aird [00:04]

4. Retirement of FBI’s Cyber Division Assistant Director Brian Vondren

Overview:
Brian Vondren, the Assistant Director of the FBI's Cyber Division and co-chair of the Joint Ransomware Task Force, is retiring after a distinguished career.

Key Points:

Contributions: Vondren played a pivotal role in disrupting and seizing cybercrime infrastructure.
Legacy: His leadership was instrumental in coordinating international efforts against ransomware and other cyber threats.
Future Impact: His departure marks the end of an era for the FBI's cyber initiatives, raising questions about leadership continuity.

Notable Quote:
"He was central to the FBI's efforts to disrupt and seize cybercrime infrastructure," – Claire Aird [00:04]

5. Arrests in Poland for DDoS-as-a-Service Operations

Overview:
A joint American and European operation led to the arrest of four individuals in Poland suspected of running DDoS-for-hire services.

Key Points:

Services Offered: The group operated six separate DDoS services, enabling users to launch attacks for as little as €10.
Law Enforcement Tactics: Dutch authorities deployed fake DDoS sites to attract and identify potential customers.
Implications: These operations facilitate widespread cyberattacks, undermining internet security and business operations.

Notable Quote:
"The group allegedly ran six separate DDoS services," – Claire Aird [00:04]

6. Canadian Pharmacist Linked to Notorious Deepfake Service

Overview:
David Doe, a Canadian pharmacist, has been identified as the administrator behind "Mr. Deep Deepfakes," a service known for creating explicit deepfake content featuring celebrities.

Key Points:

Service Operations: Mr. Deepfakes specialized in producing and distributing non-consensual explicit content, raising significant ethical and legal concerns.
Shutdown: The service was terminated in early May following media inquiries and increased scrutiny.
Legal Repercussions: Doe's involvement may lead to further investigations into the misuse of deepfake technology.

Notable Quote:
"David Doe allegedly ran Mr. Deep Deepfakes," – Claire Aird [00:04]

7. Hackers Extort Schools Using Stolen PowerSchool Data

Overview:
Educational institutions in Canada and the U.S. are targets of ransomware attacks exploiting data stolen from the education software provider, PowerSchool.

Key Points:

Ransom Demands: Hackers are demanding payments to return or delete the compromised data, with examples provided as proof.
PowerSchool's Previous Ransom Payment: Despite having paid a ransom to delete stolen data last year, attackers have resumed their extortion tactics.
Impact on Education: These attacks disrupt school operations, jeopardize student data, and strain institutional resources.

Notable Quote:
"Hackers are extorting schools using data stolen from an education software maker, PowerSchool," – Claire Aird [00:04]

8. Ransomware Attack Disrupts Masimo's Manufacturing Operations

Overview:
Medical device giant Masimo is experiencing ongoing disruptions in its manufacturing facilities due to a ransomware attack that occurred in late April.

Key Points:

Operational Impact: The attack has hindered Masimo's ability to fulfill orders, affecting global healthcare supply chains.
Ransomware Gang Involved: The specific ransomware group behind the attack remains unidentified, but the incident underscores vulnerabilities in the medical device sector.
Recovery Efforts: Masimo is actively working to restore operations and mitigate the effects of the attack.

Notable Quote:
"A ransomware attack is disrupting the manufacturing facilities of medical device maker Masimo," – Claire Aird [00:04]

9. LockBit Ransomware Gang's Backend Database Leaked

Overview:
The LockBit ransomware group's backend database has been compromised and publicly dumped, revealing sensitive information.

Key Points:

Leaked Data: The database includes Bitcoin addresses, user details, and chat logs with victims, providing unprecedented insight into the gang's operations.
Targeted Attack: Version 4 of the LockBit ransomware portal was specifically targeted, following the seizure of the previous version by law enforcement.
Hackers' Statement: The attacker left a message on LockBit's site mimicking a previous attack on the Everest ransomware gang, signaling ongoing cyber conflicts.

Notable Quote:
"The leaked data contains the group's Bitcoin addresses, user details and chat logs with victims," – Claire Aird [00:04]

10. New Vulnerabilities Found in SonicWall's SMA SSL VPN

Overview:
Three zero-day vulnerabilities have been discovered in SonicWall's SMA SSL VPN, posing significant security risks to affected systems.

Key Points:

Discovery by Rapid7: The security firm identified the vulnerabilities, with at least one actively exploited in the wild.
Security Updates Released: SonicWall has issued patches to address the vulnerabilities, though the company has yet to publicly confirm the attacks.
Potential Exploits: These vulnerabilities could allow attackers to compromise systems and escalate privileges, leading to broader network breaches.

Notable Quote:
"Rapid7 identified the three zero days that combine to compromise systems and elevate privilege," – Claire Aird [00:04]

11. Brute Force Attacks on Microsoft Entra Environments

Overview:
Threat actors are conducting brute force attacks targeting Microsoft Entra environments that have not disabled legacy authentication protocols.

Key Points:

Attack Vector: The brute force efforts focus on Entra customers utilizing traditional basic authentication for older email applications and devices.
Geographical Distribution: Attacks have been strategically distributed across regions to evade detection.
Timeline: Security firm Guards reports that these attacks commenced in March and are ongoing.

Notable Quote:
"The brute force attacks targeted Entra customers still using traditional basic authentication," – Claire Aird [00:04]

12. RAND User Agent JavaScript Library Compromised with Remote Access Trojan

Overview:
The popular RAND User Agent JavaScript library has been altered to include a remote access trojan (RAT), posing significant security threats to its extensive user base.

Key Points:

Modification Details: The compromised package, despite being considered abandoned by its developer, continues to receive over 45,000 weekly downloads.
Malicious Payload: The embedded RAT facilitates unauthorized remote access, potentially leading to data breaches and system compromises.
User Awareness: Developers and organizations relying on RAND User Agent need to update or remove the affected library to mitigate risks.

Notable Quote:
"The package gets over 45,000 weekly downloads, despite its developer considering it abandoned," – Claire Aird [00:04]

13. Inferno Drainer Cryptocurrency Phishing Operation Persists Despite Shutdown Announcement

Overview:
The Inferno Drainer cryptocurrency phishing operation remains active despite a 2023 announcement of its shutdown, continuing to drain crypto wallets.

Key Points:

Ongoing Activities: Security firm Check Point has found that smart contracts and wallet draining scripts associated with Inferno Drainer are still operational.
Victim Impact: Over 30,000 crypto wallets have been drained, resulting in losses exceeding $9 million in the past six months.
Detection and Prevention: Continued vigilance and advanced security measures are required to combat the persistent phishing threats posed by Inferno Drainer.

Notable Quote:
"Inferno Drainer cryptocurrency phishing operation continues to operate despite announcing it was shutting down in 2023," – Claire Aird [00:04]

14. Russian Hacking Group Targets UK Local Government Websites with DDoS Attacks

Overview:
A Russian hacking group, identified as No Name 057, has commenced DDoS attacks against local government websites in the United Kingdom.

Key Points:

Shift in Targets: After previous campaigns targeting the Netherlands and Romania, the group has redirected its efforts to the UK.
Attack Strategy: The DDoS attacks aim to overwhelm government websites, disrupting public services and eroding trust in local governance.
Defense Measures: UK authorities are enhancing their cybersecurity defenses to mitigate the impact of these ongoing attacks.

Notable Quote:
"A Russian hacking group has launched DDoS attacks against UK local government websites," – Claire Aird [00:04]

15. CrowdStrike Announces Workforce Reduction Amidst AI Integration

Overview:
Cybersecurity firm CrowdStrike has announced layoffs affecting approximately 500 employees, representing 5% of its workforce. The CEO attributes the reduction to AI-driven productivity gains, emphasizing continued hiring efforts elsewhere.

Key Points:

Layoff Details: The company employs around 10,000 staff globally, with the affected personnel spanning various departments.
AI Impact: Integration of artificial intelligence technologies has streamlined operations, reducing the need for certain roles.
Future Prospects: Despite the layoffs, CrowdStrike plans to continue expanding its team throughout the year, focusing on growth areas.

Notable Quote:
"AI productivity gains were a factor in the layoffs," – Claire Aird [00:04]

Conclusion:
This episode of Risky Bulletin underscores the multifaceted nature of contemporary cybersecurity threats, ranging from geopolitical influence operations to sophisticated ransomware attacks and vulnerabilities in widely-used software. The insights highlight the ongoing challenges faced by governments, corporations, and individuals in safeguarding digital environments against persistent and evolving threats.

Note: This summary excludes advertisements, introductions, and outros to focus solely on the core content discussed in the podcast episode.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
France says Russia's influence operations are achieving results, CrowdStrike lays off 5% of its staff, a hacker dumps Lockbit's ransomware database and a ransomware attack slows production at a major US medical device maker. This is the risky bulletin prepared by Catalyn Kimparnu and read by me, Claire aird. Today is the 9th of May and this podcast episode is brought to you by Stairwell. In today's top story, Russian influence operations are a significant threat to French and European public debate, according to a report from the French disinformation agency Vigenoum. The report highlighted one group, Storm 1516, that's been active since 2023 and interfered in elections in France, Germany and the US. The group has links to Russia's GRU military intelligence service, the late Yevgeny Prigozhin's troll farms, and Russian philosopher Alexander Dug. In other news, three U.S. government departments have reportedly told employees to stop using telemessage. Sources that spoke to Bloomberg asked that the specific departments not be named. Telemessage allows organisations to log signal and WhatsApp conversations. Two separate hackers breached the app last week after Mike Waltz was photographed using telemessage in a White House cabinet meeting. Irish officials want EU lawmakers to force tech firms to check the legitimacy of financial advertisers, According to the Financial Times, Ireland wants to counter the trend of fraudulent ads posted on social media. EU lawmakers are also planning to require payment services to automatically reimburse fraud victims. The assistant Director of the FBI's Cyber Division, Brian Vondren, is retiring. According to the record, he was Central to the FBI's efforts to disrupt and seize cybercrime infrastructure. He is also the co chair of the Joint ransomware task force. Four people have been arrested in Poland suspected of running DDoS for hire services. The arrests came as part of a joint American and European operation. The group allegedly ran six separate DDoS services that allowed people to launch attacks for as little as €10. Dutch authorities also ran fake DDoS sites to deter potential customers. A Canadian pharmacist has been named in news reports as the administrator of a notorious deepfake service. David doe allegedly ran Mr. Deep Deepfakes. Known for creating explicit deepfake celebrity content, Mr. Deepfakes shut down in early May after Doe was contacted by reporters. Hackers are extorting schools using data stolen from an education software maker, PowerSchool. The company says school districts within Canada and the U.S. have received ransom demands. The attackers are providing samples of data stolen from the platform despite PowerSchool paying a ransom to have it deleted last year. A ransomware attack is disrupting the manufacturing facilities of medical device maker Masimo. The company says the late April attack is still impacting its ability to fulfil orders. Masimo is among the biggest medical device makers in the world. The Lockbit ransomware gang has been hacked and its backend database was dumped. The leaked data contains the group's Bitcoin addresses, user details and chat logs with victims. The hack Targeted version 4 of the Lockbit ransomware portal, which which launched in late 2024 after the previous version was seized by law enforcement. The attacker left a message on Lockbit's site that mimicked one left during a similar attack on the Everest ransomware gang last month. Three new vulnerabilities have been identified in SonicWall's SMA SSL VPN. Rapid7 identified the three zero days that combine to compromise systems and elevate privilege. It confirmed that at least one of them is being used in the wild. So SonicWall has yet to confirm the attacks, but has released security updates. A threat actor has attacked Microsoft Entra environments that did not disable legacy authentication protocols. The brute force attacks targeted Entra customers still using traditional basic authentication for older email apps and devices. Security firm Guards says the attacks began in March and were geographically distributed to avoid detection. The rand User Agent JavaScript library has been modified to include a remote access trojan. Security firm Akaido says the package gets over 45,000 weekly downloads, despite its developer considering it abandoned the Inferno Drainer cryptocurrency phishing operation continues to operate despite announcing it was shutting down in 2023. Security firm check Point found evidence that its smart contracts and wallet draining scripts are still in use. Check Point has identified more than 30,000 crypto wallets that have been drained of more than $9 million in crypto assets in the last six months. A Russian hacking group has launched DDoS attacks against UK local government websites. The group, no Name 057, began the attacks earlier this week. The group switched to attacking the UK after previous campaigns targeted the Netherlands and Romania. And finally, security firm CrowdStrike will lay off about 500 workers. CEO George Kurtz said AI productivity gains were a factor in the layoffs, but they'll continue to hire throughout the year. The affected staff will represent about 5% of the company's 10,000 strong workforce, and that is all for this podcast edition. Today's show was brought to you by our sponsor, Stairwell. Find them@stairwell.com things for your company.

Risky Bulletin: France Says Russia's Influence Operations Are Achieving Results

Release Date: May 9, 2025
Host: Claire Aird
Prepared by: Catalyn Kimparnu

1. Russian Influence Operations in Europe

Key Points:

Storm 1516 Group: Active since 2023, this group has interfered in elections across France, Germany, and the United States. They are linked to Russia's GRU military intelligence service, Yevgeny Prigozhin's troll farms, and Russian philosopher Alexander Dug.
Impact on Elections: The group's activities aim to sow discord, influence voter behavior, and undermine trust in democratic institutions.

Notable Quote:
"Russian influence operations are achieving results," – Claire Aird [00:04]

2. U.S. Government Departments Cease Use of Telemessage

Overview:
Three unnamed U.S. government departments have instructed employees to discontinue using Telemessage, a messaging platform that logs Signal and WhatsApp conversations.

Key Points:

Security Concerns: The decision follows recent breaches where hackers exploited vulnerabilities in Telemessage.
Incident Trigger: The issue gained attention after Mike Waltz was photographed using Telemessage during a White House cabinet meeting.
Privacy Risks: Telemessage's ability to log encrypted communications raises significant privacy and security concerns for government operations.

Notable Quote:
"Telemessage allows organisations to log signal and WhatsApp conversations," – Claire Aird [00:04]

3. Ireland Advocates for Stricter EU Regulations on Financial Advertisers

Overview:
Irish officials are pushing for the European Union to enforce stricter checks on the legitimacy of financial advertisers to combat fraudulent advertisements on social media platforms.

Key Points:

Fraudulent Ads: The surge in deceptive financial advertisements has led to increased scams targeting EU citizens.
Proposed Measures: EU lawmakers are also considering mandates for payment services to automatically reimburse victims of fraud.
Objective: Strengthen consumer protection and ensure greater accountability among tech firms hosting financial ads.

Notable Quote:
"Ireland wants to counter the trend of fraudulent ads posted on social media," – Claire Aird [00:04]

4. Retirement of FBI’s Cyber Division Assistant Director Brian Vondren

Overview:
Brian Vondren, the Assistant Director of the FBI's Cyber Division and co-chair of the Joint Ransomware Task Force, is retiring after a distinguished career.

Key Points:

Contributions: Vondren played a pivotal role in disrupting and seizing cybercrime infrastructure.
Legacy: His leadership was instrumental in coordinating international efforts against ransomware and other cyber threats.
Future Impact: His departure marks the end of an era for the FBI's cyber initiatives, raising questions about leadership continuity.

Notable Quote:
"He was central to the FBI's efforts to disrupt and seize cybercrime infrastructure," – Claire Aird [00:04]

5. Arrests in Poland for DDoS-as-a-Service Operations

Overview:
A joint American and European operation led to the arrest of four individuals in Poland suspected of running DDoS-for-hire services.

Key Points:

Services Offered: The group operated six separate DDoS services, enabling users to launch attacks for as little as €10.
Law Enforcement Tactics: Dutch authorities deployed fake DDoS sites to attract and identify potential customers.
Implications: These operations facilitate widespread cyberattacks, undermining internet security and business operations.

Notable Quote:
"The group allegedly ran six separate DDoS services," – Claire Aird [00:04]

6. Canadian Pharmacist Linked to Notorious Deepfake Service

Overview:
David Doe, a Canadian pharmacist, has been identified as the administrator behind "Mr. Deep Deepfakes," a service known for creating explicit deepfake content featuring celebrities.

Key Points:

Service Operations: Mr. Deepfakes specialized in producing and distributing non-consensual explicit content, raising significant ethical and legal concerns.
Shutdown: The service was terminated in early May following media inquiries and increased scrutiny.
Legal Repercussions: Doe's involvement may lead to further investigations into the misuse of deepfake technology.

Notable Quote:
"David Doe allegedly ran Mr. Deep Deepfakes," – Claire Aird [00:04]

7. Hackers Extort Schools Using Stolen PowerSchool Data

Overview:
Educational institutions in Canada and the U.S. are targets of ransomware attacks exploiting data stolen from the education software provider, PowerSchool.

Key Points:

Ransom Demands: Hackers are demanding payments to return or delete the compromised data, with examples provided as proof.
PowerSchool's Previous Ransom Payment: Despite having paid a ransom to delete stolen data last year, attackers have resumed their extortion tactics.
Impact on Education: These attacks disrupt school operations, jeopardize student data, and strain institutional resources.

Notable Quote:
"Hackers are extorting schools using data stolen from an education software maker, PowerSchool," – Claire Aird [00:04]

8. Ransomware Attack Disrupts Masimo's Manufacturing Operations

Overview:
Medical device giant Masimo is experiencing ongoing disruptions in its manufacturing facilities due to a ransomware attack that occurred in late April.

Key Points:

Operational Impact: The attack has hindered Masimo's ability to fulfill orders, affecting global healthcare supply chains.
Ransomware Gang Involved: The specific ransomware group behind the attack remains unidentified, but the incident underscores vulnerabilities in the medical device sector.
Recovery Efforts: Masimo is actively working to restore operations and mitigate the effects of the attack.

Notable Quote:
"A ransomware attack is disrupting the manufacturing facilities of medical device maker Masimo," – Claire Aird [00:04]

9. LockBit Ransomware Gang's Backend Database Leaked

Overview:
The LockBit ransomware group's backend database has been compromised and publicly dumped, revealing sensitive information.

Key Points:

Leaked Data: The database includes Bitcoin addresses, user details, and chat logs with victims, providing unprecedented insight into the gang's operations.
Targeted Attack: Version 4 of the LockBit ransomware portal was specifically targeted, following the seizure of the previous version by law enforcement.
Hackers' Statement: The attacker left a message on LockBit's site mimicking a previous attack on the Everest ransomware gang, signaling ongoing cyber conflicts.

Notable Quote:
"The leaked data contains the group's Bitcoin addresses, user details and chat logs with victims," – Claire Aird [00:04]

10. New Vulnerabilities Found in SonicWall's SMA SSL VPN

Overview:
Three zero-day vulnerabilities have been discovered in SonicWall's SMA SSL VPN, posing significant security risks to affected systems.

Key Points:

Discovery by Rapid7: The security firm identified the vulnerabilities, with at least one actively exploited in the wild.
Security Updates Released: SonicWall has issued patches to address the vulnerabilities, though the company has yet to publicly confirm the attacks.
Potential Exploits: These vulnerabilities could allow attackers to compromise systems and escalate privileges, leading to broader network breaches.

Notable Quote:
"Rapid7 identified the three zero days that combine to compromise systems and elevate privilege," – Claire Aird [00:04]

11. Brute Force Attacks on Microsoft Entra Environments

Overview:
Threat actors are conducting brute force attacks targeting Microsoft Entra environments that have not disabled legacy authentication protocols.

Key Points:

Attack Vector: The brute force efforts focus on Entra customers utilizing traditional basic authentication for older email applications and devices.
Geographical Distribution: Attacks have been strategically distributed across regions to evade detection.
Timeline: Security firm Guards reports that these attacks commenced in March and are ongoing.

Notable Quote:
"The brute force attacks targeted Entra customers still using traditional basic authentication," – Claire Aird [00:04]

12. RAND User Agent JavaScript Library Compromised with Remote Access Trojan

Overview:
The popular RAND User Agent JavaScript library has been altered to include a remote access trojan (RAT), posing significant security threats to its extensive user base.

Key Points:

Modification Details: The compromised package, despite being considered abandoned by its developer, continues to receive over 45,000 weekly downloads.
Malicious Payload: The embedded RAT facilitates unauthorized remote access, potentially leading to data breaches and system compromises.
User Awareness: Developers and organizations relying on RAND User Agent need to update or remove the affected library to mitigate risks.

Notable Quote:
"The package gets over 45,000 weekly downloads, despite its developer considering it abandoned," – Claire Aird [00:04]

13. Inferno Drainer Cryptocurrency Phishing Operation Persists Despite Shutdown Announcement

Overview:
The Inferno Drainer cryptocurrency phishing operation remains active despite a 2023 announcement of its shutdown, continuing to drain crypto wallets.

Key Points:

Ongoing Activities: Security firm Check Point has found that smart contracts and wallet draining scripts associated with Inferno Drainer are still operational.
Victim Impact: Over 30,000 crypto wallets have been drained, resulting in losses exceeding $9 million in the past six months.
Detection and Prevention: Continued vigilance and advanced security measures are required to combat the persistent phishing threats posed by Inferno Drainer.

Notable Quote:
"Inferno Drainer cryptocurrency phishing operation continues to operate despite announcing it was shutting down in 2023," – Claire Aird [00:04]

14. Russian Hacking Group Targets UK Local Government Websites with DDoS Attacks

Overview:
A Russian hacking group, identified as No Name 057, has commenced DDoS attacks against local government websites in the United Kingdom.

Key Points:

Shift in Targets: After previous campaigns targeting the Netherlands and Romania, the group has redirected its efforts to the UK.
Attack Strategy: The DDoS attacks aim to overwhelm government websites, disrupting public services and eroding trust in local governance.
Defense Measures: UK authorities are enhancing their cybersecurity defenses to mitigate the impact of these ongoing attacks.

Notable Quote:
"A Russian hacking group has launched DDoS attacks against UK local government websites," – Claire Aird [00:04]

15. CrowdStrike Announces Workforce Reduction Amidst AI Integration

Key Points:

Layoff Details: The company employs around 10,000 staff globally, with the affected personnel spanning various departments.
AI Impact: Integration of artificial intelligence technologies has streamlined operations, reducing the need for certain roles.
Future Prospects: Despite the layoffs, CrowdStrike plans to continue expanding its team throughout the year, focusing on growth areas.

Notable Quote:
"AI productivity gains were a factor in the layoffs," – Claire Aird [00:04]

Note: This summary excludes advertisements, introductions, and outros to focus solely on the core content discussed in the podcast episode.