Risky Bulletin: Hackers breach Norwegian dam, open valve at full capacity - Risky Bulletin

Summary8 min read

Risky Bulletin: Comprehensive Summary of the June 25, 2025 Episode

Host: Claire Air
Prepared by: Catalyn Kim Panu
Release Date: June 25, 2025

The latest episode of Risky Bulletin delves into a series of significant cybersecurity incidents and developments. Hosted by Claire Air and prepared by Catalyn Kim Panu, the episode offers an in-depth analysis of threats, policy changes, and technological advancements shaping the cybersecurity landscape. Below is a detailed summary structured into key sections.

1. Hackers Breach Norwegian Dam

Timestamp: 00:04

The episode opens with a concerning incident where hackers successfully manipulated a Norwegian dam's water flow controls. In April, cybercriminals accessed the Lake Riesvatna dam near Svelgin city and fully opened a valve, increasing the outflow by 500 liters per second for four hours. Despite the significant increase, officials assured that the flow did not reach the 20,000 liters per second threshold required to cause flooding.

Quote:
"Officials believe a weak password for the valve's web-based control panel enabled the attack."
— Claire Air, [00:04]

This breach highlights the critical vulnerabilities in industrial control systems, emphasizing the need for robust cybersecurity measures in infrastructure management.

2. US House Bans WhatsApp on Staff Devices

Timestamp: 02:10

In response to growing security concerns, the US House of Representatives has prohibited the use of WhatsApp on all staff devices. The app has been classified as high risk due to the absence of on-device data encryption and a lack of transparency concerning user data protection.

Quote:
"The app is classified as high risk due to the absence of on-device data encryption and a lack of transparency over how it protects user data."
— Claire Air, [02:10]

Alternative communication tools approved as replacements include Microsoft Teams, Wickr, Signal, iMessage, and FaceTime, ensuring secure and reliable channels for official use.

3. Russia's Plan for a National IMEI Database

Timestamp: 03:00

The Russian government has announced intentions to establish a national database of mobile device identifiers (IMEI codes). This initiative aims to combat financial fraud by enabling the government to ban devices based on their unique hardware identifiers, rendering stolen or fraudulent devices unusable even if fraudsters change their phone numbers.

Quote:
"The database will be used to combat financial fraud, banning devices by IMEI means."
— Claire Air, [03:00]

This move underscores Russia’s focus on leveraging technology to enhance national security and reduce fraudulent activities.

4. Release of Four REvil Members After Time Served

Timestamp: 04:00

A significant development in the fight against ransomware gangs: a Russian court has sentenced four members of the notorious REvil ransomware group to time served on carding-related charges. These four were part of a larger raid in January 2022, which saw the arrest of 14 REvil members. Previously, four other members received sentences ranging from four and a half to six years in prison.

Quote:
"A Russian court has sentenced four members of the REvil ransomware group to time served."
— Claire Air, [04:00]

This outcome reflects the ongoing challenges in prosecuting cybercriminals and the complexities of international law enforcement collaborations.

5. EU Considers OVH Cloud as Official Provider

Timestamp: 04:30

In a move towards digital sovereignty, the European Commission is evaluating OVH Cloud as the EU's official cloud provider, potentially replacing Microsoft Azure. Discussions with several European cloud providers have intensified, particularly after the Trump administration imposed sanctions on four International Criminal Court judges, leading to the shutdown of their Microsoft accounts.

Quote:
"Talks accelerated this month after the Trump administration imposed sanctions on four International Criminal Court judges."
— Claire Air, [04:30]

This transition aims to bolster the EU's control over its digital infrastructure and reduce dependency on non-European cloud services.

6. EU Pushes for Post-Quantum Cryptographic Standards

Timestamp: 04:55

The EU has mandated that member states begin transitioning their systems to post-quantum cryptographic standards by the end of 2027, with high-risk systems, such as critical infrastructure, to follow by 2030. Post-quantum cryptography encompasses encryption algorithms designed to withstand attacks from quantum computers, ensuring long-term data security.

Quote:
"EU member states have been told to start transitioning systems to use post quantum cryptographic standards by the end of 2027."
— Claire Air, [04:55]

This initiative is part of the broader strategy to future-proof the EU's digital security against emerging technological threats.

7. Common Good Cyber Fund Launched by Canada and UK

Timestamp: 05:15

The Canadian and UK governments have introduced the Common Good Cyber Fund, a $5.7 million initiative over five years aimed at supporting nonprofit cybersecurity organizations. Eligible nonprofits include those maintaining core digital infrastructure like DNS and Internet routing, as well as organizations providing cybersecurity assistance to high-risk individuals.

Quote:
"The Common Good Cyber Fund will be available to nonprofits that maintain core digital infrastructure such as DNS, Internet routing or free threat intelligence systems."
— Claire Air, [05:15]

Managed by the Internet Society and Global Cyber Alliance, this fund seeks to strengthen the cybersecurity posture of essential digital services and vulnerable populations.

8. Shutdown of Critical Infrastructure Defence Project

Timestamp: 05:25

A notable setback occurred with the shutdown of the Critical Infrastructure Defence project, which was established in 2022 by cybersecurity firms Cloudflare, Crowdstrike, and Ping Identity. Originally launched to defend US critical infrastructure organizations—such as hospitals, water systems, and power utilities—against potential Russian cyberattacks and sabotage, the program has now been discontinued.

Quote:
"A project that offered free security services to US critical infrastructure organisations has been shut down."
— Claire Air, [05:25]

The termination of this project raises concerns about the vulnerability of essential services to cyber threats and the need for sustained support and resources.

9. libxml2 Library Vulnerability Reports Made Public

Timestamp: 05:40

In a move to enhance transparency and community involvement, the libxml2 open-source project has changed its policy to make all vulnerability reports public by default. Project lead Nick Wilnhofer stated that security flaws will be patched as time permits rather than adhering to strict deadlines, hoping to encourage downstream users to contribute improvements.

Quote:
"Vulnerability reports will now be public by default... hopes the new policy will encourage downstream users to contribute back to the project."
— Claire Air, [05:40]

This shift aims to foster collaborative security practices and accelerate the remediation of vulnerabilities in widely used libraries.

10. Malware Exploitation via ConnectWise Installer

Timestamp: 05:50

Threat actors have been exploiting the ConnectWise installer to distribute malware. By manipulating the unsigned configuration data within the installer, the malicious group known as Evil Konwe has created cryptographically valid installers that deliver their malware payloads.

Quote:
"This allowed the evil Konwe group to make cryptographically valid installers that launch their malware."
— Claire Air, [05:50]

In response, ConnectWise rotated its signing certificate on June 13 and pledged to enhance the security measures surrounding configuration data in their installers to prevent future abuse.

11. Chinese Botnet: Lapdog and Shortleash

Timestamp: 06:00

Security firm Security Scorecard has identified a new botnet named Lapdog, accompanied by a custom backdoor called Shortleash, used by Chinese hackers to conceal their operations. The botnet has compromised over 1,000 devices, primarily small office/home office (SoHo) routers, facilitating covert cyber-attacks.

Quote:
"At least one Chinese apt group has used the botnet to hide its operations."
— Claire Air, [06:00]

This development underscores the evolving tactics of state-sponsored hacking groups in leveraging botnets for stealthy infiltration and operations.

12. Akamai's XM Rogue Tool Against Crypto Mining Botnets

Timestamp: 06:10

Akamai has introduced the XM Rogue tool, designed to disrupt cryptocurrency mining botnets. The tool infiltrates the botnet, submitting erroneous computation data to Monero mining pools. These repeated inaccuracies lead to the botnet's exclusion from mining pools, resulting in financial losses for the operators.

Quote:
"The XM rogue tool joins the botnet and submits bad computation to Monero mining pools... profits being lost."
— Claire Air, [06:10]

Akamai's proactive approach represents a significant advancement in combating illicit crypto mining operations.

13. WinRAR Path Traversal Vulnerability Patched

Timestamp: 06:20

A critical vulnerability in the WinRAR file archiver has been addressed. The path traversal bug allowed attackers to execute arbitrary code on users' systems. This vulnerability specifically affected WinRAR on Windows platforms. Users are advised to update to the latest version to mitigate potential risks.

Quote:
"A vulnerability has been patched in the Winrar file archiver... allow attackers to run code on users systems."
— Claire Air, [06:20]

This patch is essential for maintaining system security, especially for users handling archived files regularly.

14. Introduction of File Fix Technique as an Alternative to Click Fix

Timestamp: 06:30

Security researcher Mr. Dox has developed the File Fix technique, offering an alternative to the traditional Click Fix method used in social engineering attacks. Unlike Click Fix, which tricks users into copying and pasting commands into Windows, File Fix deceives users into pasting into the run dialog via FileFix. The attacker hides PowerShell commands within whitespace in the purported file path, executing malicious scripts without the user's knowledge.

Quote:
"In Qlik Fix, users are pasting into the run dialog with FileFix... the attacker uses white space to hide PowerShell commands in the path."
— Claire Air, [06:30]

This new technique highlights the continual evolution of social engineering tactics, necessitating heightened user awareness and security training.

Conclusion

The June 25, 2025 episode of Risky Bulletin presents a comprehensive overview of contemporary cybersecurity threats and strategic responses. From the alarming breach of a Norwegian dam to legislative actions like the US House's ban on WhatsApp, the episode underscores the multifaceted nature of cyber risks. Additionally, policy shifts within the EU and the launch of supportive funds by Canada and the UK highlight ongoing efforts to bolster global cybersecurity resilience. The episode also sheds light on emerging threats, such as the exploitation of legitimate installers for malware distribution and the development of sophisticated botnets by state-sponsored actors. Concluding with advancements in defensive technologies and new social engineering techniques, the bulletin emphasizes the dynamic and ever-evolving landscape of cybersecurity.

For those seeking to stay informed on the latest cybersecurity news and analyses, Risky Bulletin continues to be an invaluable resource.

Loading summary

Transcript2 lines

[00:04]
A
Hackers fully open a valve at a Norwegian Dam the US House bans WhatsApp on staff devices Russia wants to build a national imei database and four REvil members are released after time served. This is the Risky bulletin prepared by Catalyn Kim Panu and read by me, Claire air. Today is the 25th of June and this podcast episode is brought to you by Authentic Hackers have reached a Norwegian dam and fully opened a valve that controls water flow downstream. The incident occurred in April at the Lake Riesvatna dam near the city of Svelgin. The change added 500 litres per second to the dam's outflow for four hours. The dam's operator said that more than 20,000 litres per second would have been required to cause flooding. Officials believe a weak password for the valve's web based control panel enabled the attack. In other news, the US House of Representatives has banned WhatsApp on staff devices. The app is classified as high risk due to the absence of on device data encryption and a lack of transparency over how it protects user data, the House Chief Administrative Office said. Acceptable replacement apps were Microsoft Teams, Wickr Signal, iMessage and FaceTime. The Russian government plans to create a national database of mobile device identifiers. The database will collect IMEI codes, which are unique hardware identifiers assigned to mobile devices. The Russian Ministry of Digital affairs says the database will be used to combat financial fraud, banning devices by IMEI means. Devices are still blocked even if fraudsters change their phone numbers. The European Commission is considering replacing Microsoft Azure with OVH cloud as the EU's official cloud provider, according to Euractive. Talks with multiple European cloud providers, including French company OVH Cloud, have been underway for several weeks. Talks accelerated this month after the Trump administration imposed sanctions on four International Criminal Court judges. The judges Microsoft accounts were shut down, rekindling a push for the EU's digital sovereignty. EU member states have been told to start transitioning systems to use post quantum cryptographic standards by the end of 2027. High risk systems, such critical infrastructure should be transitioned by the end of 2030. Post quantum cryptography is a collection of encryption algorithms that can withstand attacks from quantum computers. The Canadian and UK governments have launched a fund to support non profit cybersecurity organisations. The Common Good Cyber Fund will be available to nonprofits that maintain core digital infrastructure such as DNS, Internet routing or free threat intelligence systems. It'll also support organisations that provide cybersecurity assistance to high risk individuals. The fund will be managed by the Internet Society and Global Cyber alliance and has seed funding of $5.7 million over five years. A project that offered free security services to US critical infrastructure organisations has been shut down. The Critical Infrastructure Defence project was established in 2022 by cybersecurity firms Cloudflare, Crowdstri and Ping Identity. The program was established after Russia's invasion of Ukraine. It was designed to help US organisations defend against possible Russian cyber attacks and sabotage. Its main beneficiaries were hospitals, water systems and power utilities. A Russian court has sentenced four members of the Revil ransomware group to time served. They were being sentenced on carding related charges. The four were detained during a raid in January 2022, which when 14 of the group's members were arrested. Four other REvil members received sentences last October ranging from four and a half to six years in prison. Vulnerability reports submitted to the Open source lib XML 2 library will now be public by default. The project's lead developer, Nick Wilnhofer, said security flaws will be patched when he has time rather than to a deadline. Wilhelnhofer hopes the new policy will encourage downstream users to contribute back to the project. The libxml2 library is currently used in macOS, Windows and Linux. A threat actor has been abusing the ConnectWise installer to sign malware. The installer relies on configuration data that's not signed. This allowed the evil Konwe group to make cryptographically valid installers that launch their malware. ConnectWise rotated its signing certificate on June 13. It also promised to improve how it handles configuration data in signed installers. A new botnet is being used by Chinese hackers to hide their attacks. Security Scorecard discovered the lapdog's botnet and an associated custom backdoor named Shortleash. The botnet has infected more than 1,000 devices, most of which are SoHo routers. At least one Chinese apt group has used the botnet to hide its operations. Security firm Akamai has developed a tool that can be used to sabotage crypto mining botnets. The XM rogue tool joins the botnet and submits bad computation to Monero mining pools. Repeated bad submissions lead to the botnet being banned from the mining pool and profits being lost. A vulnerability has been patched in the Winrar file archiver. The vulnerability is a path traversal bug that can allow attackers to run code on users systems. The issue only impacts Winrar on Windows. And finally, an alternative to the click fix technique has been developed. The new file fix technique was developed by security researcher Mr. Dox. Both click fix and file Fix dupe users into copying and pasting commands into Windows. In Qlik Fix, users are pasting into the run dialog with FileFix. The user is pasting what they think is a file path into Windows Explorer. The attacker uses white space to hide PowerShell commands in the path. And that is all for this podcast edition. Today's show was brought to you by Authentic. Find them@goauthentic IO thanksy company.
[06:36]
B
Sam.