Risky Bulletin: Hackers Sabotage Iranian Ships at Sea, Again

Podcast: Risky Bulletin
Host: Claire Aird (prepared by Catalyn Kim Panu)
Date: August 25, 2025

Overview

This episode of Risky Bulletin covers major global cybersecurity incidents and trends from the past week. Key stories include renewed cyberattacks on Iranian ships, sweeping mass cybercrime arrests across Africa, high-profile data breaches, significant legal developments in international cybercrime, groundbreaking research on AI attacks, and important updates from major tech companies.

Key Discussion Points and Insights

1. Renewed Cyber Sabotage of Iranian Ships

• Incident: The hacking group "Lab Tuftengon Group" claims responsibility for a cyberattack on more than 60 Iranian ships, impacting both oil tankers (39) and cargo ships (25).
• Tactics: The attackers targeted Iranian satellite communications company FNava, accessed connected ships, and wiped their satellite terminals, crippling ship communications at sea.
• Historical Context: This is the second attack by the same group in 2025, with a larger attack on over 100 ships in March.
  • Quote (00:11):
    "A hacking group claims to have crippled the communications systems of more than 60 Iranian ships. The hack impacted 39 oil tankers and 25 cargo ships." — Claire Aird

2. Ransomware Disruption at Data IO

• Details: Memory manufacturer Data IO suffered a ransomware attack disrupting production, shipping, communications, and support operations.
• SEC Filing: No timeline for recovery was provided.
  • Quote (01:01):
    "A ransomware attack is disrupting the operations of memory maker Data IO. The incident has impacted the company's production, shipping, communications, and support operations."

3. French Supermarket Chain Loyalty Card Breach

• Victim: Ushant (Auchan), a major French supermarket chain.
• Impact: Loyalty card system was breached. All cards disabled, with instructions for customers to obtain replacements in-store.
• Recurrence: Auchan previously suffered a breach in November 2024.
  • Quote (01:14):
    "French supermarket chain Ushant has confirmed that its loyalty card system was breached...Customers have been instructed to pick up replacements in stores."

4. Extradition of Chinese Cybercrime Leader Linked to Celebrity Hacks

• Who/Where: Chinese group leader extradited from Thailand to South Korea.
• Crime: Theft of $275 million from celebrities, exploiting data from a 2023 telco hack to access bank and brokerage accounts.
• High-profile Victim: At least one member of K-pop group BTS.
  • Quote (01:31):
    "The group allegedly stole more than $275 million from celebrities after hacking a telco in 2023...A member of the K pop supergroup BTS was the most high profile victim."

5. US Sentencing in Insider IT Attack

• Perpetrator: Davis Liu, 55, Chinese national.
• Action: Left a "kill switch" in an employer's code, which triggered deletion of user profiles and locked out employees after his departure.
• Sentencing: Four years in prison, US courts.
  • Quote (01:53):
    "The code was designed to delete all user profiles and lock everyone out of the network if Liu's name was removed from the company directory."

6. Mass Cybercrime Arrests in Africa (Operation Serengeti 2.0)

• Arrests: Over 1,200 suspects across 18 countries for online scams, BEC, ransomware.
• Seizures: Authorities dismantled crypto mining ops, seized forged documents/domains, and recovered $97 million.
  • Quote (02:09):
    "More than 1,200 cybercrime suspects have been arrested...Authorities dismantled crypto mining operations, seized forged documents and domains, and recovered $97 million in stolen assets."

7. Chinese Espionage Group Targets Vietnamese Universities

• Method: Leveraged unpatched vulnerabilities, left victim data exposed in open directories.
• Attribution: Likely connected to APT Earth Lumia.
  • Quote (02:38):
    "A suspected Chinese espionage group has hacked at least 25 Vietnamese universities...The campaign leveraged unpatched vulnerabilities for initial access."

8. Pakistani APT Targets Indian Government Employees (Linux)

• Attack Vector: Spear phishing with malicious Linux .desktop shortcuts, delivers payload on execution.
• Attribution: Linked to APT36 / Transparent Tribe.
  • Quote (02:56):
    "The campaign delivers Linux.deskt short shortcuts via spear phishing emails...linked the attacks to APT36, a group also known as Transparent Tribe."

9. US Legislation: Renewal of the Cybersecurity Information Sharing Act

• Status: Set to expire in September 2025 after 10 years; reauthorization attempt next month.
• Purpose: Provides liability protections to encourage private-public threat intel sharing.
  • Quote (03:10):
    "The law provides liability protections for the private sector to share threat intel with the government."

10. US Government Takes Stake in Intel via CHIPS Act

• Deal: Converts $8.9B grant into a 10% US government stake in Intel (no board seat/decision rights).
• Controversy: Potential legal challenges and questions on efficacy to "save the company."
  • Quote (03:28):
    "The deal is likely to face legal challenges, and some experts believe it won't be enough to save the company."

11. Clickjacking Vulnerabilities in Password Managers

• Discovery: Multiple password managers exposed, allowing attackers on malicious sites to overlay fake UI for stealing data.
• Affected: 11 password managers vulnerable; fixes pending for 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, LogMeOnce.
  • Quote (03:53):
    "11 password managers were vulnerable. The flaw has been fixed by five of them so far."

12. Novel AI Jailbreak Through Image Downscaling

• Technique: Malicious prompts hidden in high-res images only appear after downscaling; effective against AI models (e.g., Google Assistant/Gemini).
  • Quote (04:09):
    "Researchers have successfully hidden malicious prompts inside high resolution images that only appear after downscaling for AI processing."

13. Microsoft Defender Deception Feature Retired

• Action: The decoy-generating "Deception" feature will be removed in October 2025.
  • Quote (04:23):
    "Microsoft is retiring the Deception feature of its Defender security platform. It will be disabled for all customers at the end of October."

14. Email Restrictions for New Microsoft 365 Tenants

• Changes: New tenants limited to 100 external recipients/day, aimed at combating spam from newly created accounts.
  • Quote (04:37):
    "Microsoft introduced the limit to combat spamming...The limit does not apply if customers add their own domain to their accounts."

Notable Quotes & Memorable Moments

• On satellite hacks:
  "Lab Tuftengon Group says it hacked the Iranian satellite communications company FNava. From there, it connected to the ships and wiped the satellite terminals on board." (00:15)
• On celebrity hacking:
  "A member of the K-pop supergroup BTS was the most high profile victim." (01:39)
• On legal reach:
  "A Chinese national has been sentenced in the US to four years in prison for damaging his former employer's IT network." (01:43)
• On password manager risks:
  "Clicks on the fake interface actually interact with the password manager beneath it." (03:57)
• On AI security:
  "The prompts are invisible to the human eye until the image is resized." (04:13)

Important Timestamps

• 00:11 — Iranian shipping sabotage overview
• 01:01 — Data IO ransomware incident
• 01:14 — Ushant (Auchan) data breach
• 01:31 — Celebrity cyber theft and extradition
• 01:53 — US sentencing for insider attack
• 02:09 — Interpol’s African cybercrime arrests
• 02:38 — Chinese APT campaign vs. Vietnamese universities
• 02:56 — Pakistani APT's Linux targeting
• 03:10 — US Cybersecurity act reauthorization
• 03:28 — US government Intel stake
• 03:53 — Password manager clickjacking flaws
• 04:09 — Hidden prompts in AI-processed images
• 04:23 — Microsoft Defender Deception retirement
• 04:37 — Microsoft 365 external email limitations

Conclusion

This episode spotlights the growing scale and sophistication of cyberattacks—ranging from state-sponsored sabotage of shipping fleets to jailbreaking AI via images. It also illustrates the global response, with mass arrests, international extradition, and legislative action. The ongoing vulnerabilities in widely used tools like password managers and persistent threats facing major corporates and governments underscore the high stakes for all organizations in cybersecurity.

For a deeper dive, listen to the full episode or visit risky.biz for further analysis and discussion.