Summary6 min read

Risky Bulletin: Hackers Sabotage Iranian Ships at Sea, Again

Podcast: Risky Bulletin
Host: Claire Aird (prepared by Catalyn Kim Panu)
Date: August 25, 2025

Overview

This episode of Risky Bulletin covers major global cybersecurity incidents and trends from the past week. Key stories include renewed cyberattacks on Iranian ships, sweeping mass cybercrime arrests across Africa, high-profile data breaches, significant legal developments in international cybercrime, groundbreaking research on AI attacks, and important updates from major tech companies.

Key Discussion Points and Insights

1. Renewed Cyber Sabotage of Iranian Ships

Incident: The hacking group "Lab Tuftengon Group" claims responsibility for a cyberattack on more than 60 Iranian ships, impacting both oil tankers (39) and cargo ships (25).
Tactics: The attackers targeted Iranian satellite communications company FNava, accessed connected ships, and wiped their satellite terminals, crippling ship communications at sea.
Historical Context: This is the second attack by the same group in 2025, with a larger attack on over 100 ships in March.
- Quote (00:11):
  "A hacking group claims to have crippled the communications systems of more than 60 Iranian ships. The hack impacted 39 oil tankers and 25 cargo ships." — Claire Aird

2. Ransomware Disruption at Data IO

Details: Memory manufacturer Data IO suffered a ransomware attack disrupting production, shipping, communications, and support operations.
SEC Filing: No timeline for recovery was provided.
- Quote (01:01):
  "A ransomware attack is disrupting the operations of memory maker Data IO. The incident has impacted the company's production, shipping, communications, and support operations."

3. French Supermarket Chain Loyalty Card Breach

Victim: Ushant (Auchan), a major French supermarket chain.
Impact: Loyalty card system was breached. All cards disabled, with instructions for customers to obtain replacements in-store.
Recurrence: Auchan previously suffered a breach in November 2024.
- Quote (01:14):
  "French supermarket chain Ushant has confirmed that its loyalty card system was breached...Customers have been instructed to pick up replacements in stores."

4. Extradition of Chinese Cybercrime Leader Linked to Celebrity Hacks

Who/Where: Chinese group leader extradited from Thailand to South Korea.
Crime: Theft of $275 million from celebrities, exploiting data from a 2023 telco hack to access bank and brokerage accounts.
High-profile Victim: At least one member of K-pop group BTS.
- Quote (01:31):
  "The group allegedly stole more than $275 million from celebrities after hacking a telco in 2023...A member of the K pop supergroup BTS was the most high profile victim."

5. US Sentencing in Insider IT Attack

Perpetrator: Davis Liu, 55, Chinese national.
Action: Left a "kill switch" in an employer's code, which triggered deletion of user profiles and locked out employees after his departure.
Sentencing: Four years in prison, US courts.
- Quote (01:53):
  "The code was designed to delete all user profiles and lock everyone out of the network if Liu's name was removed from the company directory."

6. Mass Cybercrime Arrests in Africa (Operation Serengeti 2.0)

Arrests: Over 1,200 suspects across 18 countries for online scams, BEC, ransomware.
Seizures: Authorities dismantled crypto mining ops, seized forged documents/domains, and recovered $97 million.
- Quote (02:09):
  "More than 1,200 cybercrime suspects have been arrested...Authorities dismantled crypto mining operations, seized forged documents and domains, and recovered $97 million in stolen assets."

7. Chinese Espionage Group Targets Vietnamese Universities

Method: Leveraged unpatched vulnerabilities, left victim data exposed in open directories.
Attribution: Likely connected to APT Earth Lumia.
- Quote (02:38):
  "A suspected Chinese espionage group has hacked at least 25 Vietnamese universities...The campaign leveraged unpatched vulnerabilities for initial access."

8. Pakistani APT Targets Indian Government Employees (Linux)

Attack Vector: Spear phishing with malicious Linux .desktop shortcuts, delivers payload on execution.
Attribution: Linked to APT36 / Transparent Tribe.
- Quote (02:56):
  "The campaign delivers Linux.deskt short shortcuts via spear phishing emails...linked the attacks to APT36, a group also known as Transparent Tribe."

9. US Legislation: Renewal of the Cybersecurity Information Sharing Act

Status: Set to expire in September 2025 after 10 years; reauthorization attempt next month.
Purpose: Provides liability protections to encourage private-public threat intel sharing.
- Quote (03:10):
  "The law provides liability protections for the private sector to share threat intel with the government."

10. US Government Takes Stake in Intel via CHIPS Act

Deal: Converts $8.9B grant into a 10% US government stake in Intel (no board seat/decision rights).
Controversy: Potential legal challenges and questions on efficacy to "save the company."
- Quote (03:28):
  "The deal is likely to face legal challenges, and some experts believe it won't be enough to save the company."

11. Clickjacking Vulnerabilities in Password Managers

Discovery: Multiple password managers exposed, allowing attackers on malicious sites to overlay fake UI for stealing data.
Affected: 11 password managers vulnerable; fixes pending for 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, LogMeOnce.
- Quote (03:53):
  "11 password managers were vulnerable. The flaw has been fixed by five of them so far."

12. Novel AI Jailbreak Through Image Downscaling

Technique: Malicious prompts hidden in high-res images only appear after downscaling; effective against AI models (e.g., Google Assistant/Gemini).
- Quote (04:09):
  "Researchers have successfully hidden malicious prompts inside high resolution images that only appear after downscaling for AI processing."

13. Microsoft Defender Deception Feature Retired

Action: The decoy-generating "Deception" feature will be removed in October 2025.
- Quote (04:23):
  "Microsoft is retiring the Deception feature of its Defender security platform. It will be disabled for all customers at the end of October."

14. Email Restrictions for New Microsoft 365 Tenants

Changes: New tenants limited to 100 external recipients/day, aimed at combating spam from newly created accounts.
- Quote (04:37):
  "Microsoft introduced the limit to combat spamming...The limit does not apply if customers add their own domain to their accounts."

Notable Quotes & Memorable Moments

On satellite hacks:
"Lab Tuftengon Group says it hacked the Iranian satellite communications company FNava. From there, it connected to the ships and wiped the satellite terminals on board." (00:15)
On celebrity hacking:
"A member of the K-pop supergroup BTS was the most high profile victim." (01:39)
On legal reach:
"A Chinese national has been sentenced in the US to four years in prison for damaging his former employer's IT network." (01:43)
On password manager risks:
"Clicks on the fake interface actually interact with the password manager beneath it." (03:57)
On AI security:
"The prompts are invisible to the human eye until the image is resized." (04:13)

Important Timestamps

00:11 — Iranian shipping sabotage overview
01:01 — Data IO ransomware incident
01:14 — Ushant (Auchan) data breach
01:31 — Celebrity cyber theft and extradition
01:53 — US sentencing for insider attack
02:09 — Interpol’s African cybercrime arrests
02:38 — Chinese APT campaign vs. Vietnamese universities
02:56 — Pakistani APT's Linux targeting
03:10 — US Cybersecurity act reauthorization
03:28 — US government Intel stake
03:53 — Password manager clickjacking flaws
04:09 — Hidden prompts in AI-processed images
04:23 — Microsoft Defender Deception retirement
04:37 — Microsoft 365 external email limitations

Conclusion

This episode spotlights the growing scale and sophistication of cyberattacks—ranging from state-sponsored sabotage of shipping fleets to jailbreaking AI via images. It also illustrates the global response, with mass arrests, international extradition, and legislative action. The ongoing vulnerabilities in widely used tools like password managers and persistent threats facing major corporates and governments underscore the high stakes for all organizations in cybersecurity.

For a deeper dive, listen to the full episode or visit risky.biz for further analysis and discussion.

Loading summary

Transcript1 lines

[00:04]
A
Hackers sabotage Iranian ships for a second time this year. Mass cybercrime arrests across Africa. South Korea extradites a Chinese man behind celebrity hacks and a French supermarket chain discloses a data breach. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 25th of August and this podcast episode is brought to you by Octa. A hacking group claims to have crippled the communications systems of more than 60 Iranian ships. The hack impacted 39 oil tankers and 25 cargo ships. The lab, Tuftengon Group, says it hacked the Iranian satellite communications company fnava. From there, it connected to the ships and wiped the satellite terminals on board. The same group carried out a similar attack on more than 100 Iranian ships in March. A ransomware attack is disrupting the operations of memory maker Data IO. The incident has impacted the company's production, shipping, communications and support operations. In an SEC filing last week, Data IO did not provide a timeline for recovery. French supermarket chain Ushant has confirmed that its loyalty card system was breached. The company has disabled all cards and customers have been instructed to pick up replacements in stores. Store Ushan suffered a separate security breach in November last year. The leader of a Chinese hacking group has been extradited from Thailand to South Korea. The group allegedly stole more than $275 million from celebrities after hacking a telco in 2023. They used the data obtained in the hack to access banking and brokerage accounts. A member of the K pop supergroup BTS was the most high profile victim. A Chinese national has been sentenced in the US to four years in prison for damaging his former employer's IT network. 55 year old Davis Liu left a kill switch in code he wrote while employed by the victim. The code was designed to delete all user profiles and lock everyone out of the network if Liu's name was removed from the company directory. The code was triggered in September 2019, a month after he wrote it. More than 1,200 cybercrime suspects have been arrested across 18 African countries. The individuals are accused of being involved in online scams, BEC and ransomware attacks. Authorities dismantled crypto mining operations, seized forged documents and domains, and recovered $97 million in stolen assets. The arrests were part of the joint Interpol led Operation Serengeti 2.0. A suspected Chinese espionage group has hacked at least 25 Vietnamese universities and education institutions. The campaign leveraged unpatched vulnerabilities for initial access. The hacks were discovered when the attacker left victim data in an open directory, according to researchers. The campaign may be linked to a Chinese APT known asearth Lumia. A suspected Pakistani APT group is targeting Indian government employees who use Linux workstations. The campaign delivers Linux.deskt short shortcuts via spear phishing emails. Once opened, the shortcut files download and execute malicious payloads. Security firms Cloudsec and Cipherma have linked the attacks to APT36, a group also known as Transparent Tribe. The House Homeland Security Committee will attempt to reauthorise the Cybersecurity Information Sharing act next month. The law provides liability protections for the private sector to share threat intel with the government. It was adopted for 10 years in 2015 and will expire at the end of September unless reauthorised by Congress. The US government will acquire a 10% stake in American chipmaker Intel. The investment converts an $8.9 billion grant awarded in 2024 through the US Chips act into a payment for common intel stock. Intel said the US Government won't have a seat on the board or play any role in making business decisions. The deal is likely to face legal challenges, and some experts believe it won't be enough to save the company. Multiple password managers are vulnerable to a clickjacking attack that can steal user data. The attack relies on luring users to malicious sites where the attackers can overlay their own UI over password managers. Clicks on the fake interface actually interact with the password manager beneath it. 11 password managers were vulnerable. The flaw has been fixed by five of them so far. Fixes have not yet been implemented for 1Password bitwarden, enpass, icloud passwords, lastpass and logmeonce. Researchers have successfully hidden malicious prompts inside high resolution images that only appear after downscaling for AI processing. The prompts are invisible to the human eye until the image is resized. Trailer bits Researchers demonstrated the attack against various AI agents, including Google Assistant and Google Gemini. Microsoft is retiring the Deception feature of its Defender security platform. It will be disabled for all customers at the end of October. The Deception feature generated and monitored decoy accounts, hosts and lures. It worked like a canary and raised security alerts when attackers interacted with the decoys. And finally, new Microsoft 365 tenants won't be able to send emails to more than 100 external recipients per day. Microsoft introduced the limit to combat spending Spamming threat actors have been creating Microsoft 365 accounts to send spam from the default on Microsoft.com domain. The limit does not apply if customers add their own domain to their accounts and that is all for this podcast edition. Today's show is brought to you by our sponsor, Octa. Find them@okta.com thanks for your company.