Risky Bulletin: Hacktivists Claim Cyber-Sabotage of 116 Iranian Ships
Hosted by Claire Aird from Risky.biz
Release Date: March 21, 2025

1. Introduction

In the March 21, 2025 episode of Risky Bulletin, host Claire Aird delves into a series of significant cybersecurity incidents affecting global maritime operations, international espionage, and evolving cyber threats. This comprehensive summary captures the key discussions, insights, and conclusions drawn by the Risky Business team.

2. Iranian Ships Cyber Sabotage

Hacktivist Group Latouf Dagon Attacks Iranian Merchant Ships

The episode opens with alarming news from the maritime sector. An Iranian hacktivist group, Latouf Dagon, has claimed responsibility for a cyber attack that disrupted communications on over 100 Iranian merchant ships. These vessels, operated by the National Iranian Tanker Company and the Islamic Republic of Iran Shipping Company, suffered severe disruptions:

• Attack Details: The hackers targeted the ships' satellite communication systems, leading to data wiping and crippling of essential communications.

• Motivation: Latouf Dagon alleges that the targeted Iranian companies were involved in resupplying Houthi forces in Yemen—a region where Houthis have been attacking ships in the Red Sea, causing significant disruptions to global commerce for the past year.

• Insider Involvement: The group claims that insiders within the Iranian government facilitated the attack, adding a layer of internal complexity to the sabotage.

"We've demonstrated that no vessel is beyond our reach, and the maritime routes fueling conflict are not safe from our operations," stated a spokesperson for Latouf Dagon at [02:15].

This incident underscores the growing trend of hacktivist groups targeting critical infrastructure to influence geopolitical dynamics.

3. Iran Accuses China of Cyber Espionage

APT15 Group Targets Iranian Critical Infrastructure

In a groundbreaking development, Iran's Cyber Security Agency has publicly accused China of cyber espionage activities. The agency reported that the Chinese cyber espionage group APT15 attempted to infiltrate critical Iranian infrastructure and government networks. However, Iranian defenses successfully detected and halted the attack.

• Significance: This marks the first time the Iranian government has openly blamed China for cyber operations, indicating escalating cyber tensions between the two nations.

"This is the first time we have publicly named China for its persistent cyber threats against our nation," Claire Aird reported at [05:30].

The exposure of APT15's activities highlights the pervasive nature of state-sponsored cyber espionage and its implications for international relations.

4. North Korea Establishes New Cyber Unit

Formation of Research Centre 227

North Korea has officially established a new cyber unit, Research Centre 227, within its military intelligence agency, the Reconnaissance General Bureau. This center is dedicated to developing advanced offensive hacking techniques.

• Operational Scope: Launched this month, Research Centre 227 is expected to grow to approximately 90 personnel, focusing on enhancing North Korea's cyber warfare capabilities.

"With Research Centre 227, North Korea is signaling its intent to escalate its cyber offensive operations significantly," noted Claire Aird at [08:45].

This move signifies North Korea's commitment to strengthening its cyber arsenal, potentially increasing its involvement in global cyber conflicts.

5. Paragon Solutions Spyware Sales Exposed

CitizenLab Identifies Six Government Customers

CitizenLab has uncovered that at least six governments have likely purchased spyware from Israeli company Paragon Solutions. The affected countries include Australia, Canada, Cyprus, Denmark, Israel, and Singapore.

• Background: Earlier in the year, Paragon Solutions ceased selling to the Italian government after evidence emerged that its spyware was used to target activists and journalists.

"Our analysis reveals concerning connections between Paragon's server infrastructure and several government entities, raising questions about privacy and surveillance practices," Claire Aird elaborated at [12:10].

This revelation prompts a broader discussion on the ethical implications of state-sponsored spyware deployment and the need for stringent regulations.

6. UK’s Guidance on Quantum-Resistant Encryption

Mandated Migration to Secure Encryption Methods

The UK's cybersecurity agency has issued guidance urging organizations to transition to quantum-resistant encryption methods by 2035. High-priority and critical services are required to migrate by 2031.

• Directive: Companies must identify areas using outdated encryption and adopt post-quantum alternatives to safeguard against future computational threats.

"Quantum computing poses a significant threat to current encryption standards. Our guidance ensures that the UK’s digital infrastructure remains secure," A spokesperson for the UK's cybersecurity agency stated at [14:20].

This proactive stance aims to future-proof the UK's cybersecurity infrastructure against the impending challenges posed by quantum computing advancements.

7. Hong Kong Enacts First Cybersecurity Bill

New Legislation Imposes Strict Reporting and Assessment Requirements

Hong Kong has passed its inaugural cybersecurity bill, mandating critical sector operators to:

• Incident Reporting: Report security incidents to the Security Bureau within 12 hours.
• Risk Assessments: Conduct and file annual risk assessments.
• Penalties: Non-compliance can result in fines up to $640,000.

"This legislation is a crucial step in bolstering Hong Kong's cybersecurity posture and ensuring rapid response to threats," Claire Aird highlighted at [17:05].

The law reflects Hong Kong's commitment to enhancing its cybersecurity framework and protecting its critical infrastructure from escalating cyber threats.

8. Spy X App Data Leak

Personal Data of Nearly 2 Million Users Exposed

A significant breach has occurred involving the spyware app Spy X, where data of approximately 2 million users was leaked. The compromised information includes:

• Emails

• IP addresses

• Country of origin

• Surveillance targets

• Timeline: The hack occurred in June but was only disclosed this week when the data was shared with the website "Have I Been Pwned?".

• Context: According to TechCrunch, Spy X is the 25th mobile spyware app to experience a hack since 2017.

"The scale of the Spy X data leak highlights the vulnerabilities inherent in surveillance tools and the potential dangers of their misuse," Claire Aird commented at [19:50].

This incident underscores the critical need for robust security measures in spyware applications to protect user data and prevent exploitation.

9. Baidu Faces Doxxing Scandal

Chinese Search Giant Denies Internal Data Breach

Baidu has refuted claims that its data was accessed by the teenage daughter of one of its executives, who allegedly used the information in a doxxing campaign:

• Incident: The executive's daughter leaked personal details of her online rivals.
• Denial: Baidu’s Cloud Vice President, Xi Guanjian, asserted that the data did not originate from their servers.
• Alternative Explanation: Claire Aird reports that the data was sourced from doxxing databases outside of China.

"Our systems remain secure, and we have no evidence that Baidu's infrastructure was compromised in this manner," Xi Guanjian stated at [22:15].

This situation highlights challenges companies face in controlling data leaks and the reputational risks associated with employee or family member misconduct.

10. US Appeals Court Orders Re-sentencing of Capital One Hacker Paige Thompson

Judicial Review Finds Initial Sentence Lenient

Paige Thompson, known for her Capital One breach, has been ordered by a US Appeals Court to undergo re-sentencing. The appellate judges determined that her original sentence of time served plus five years of probation was excessively lenient.

• Background: Thompson was initially sentenced in 2022 but is now facing a stricter judgment following the court’s review.

Additionally, the court has ordered the re-sentencing of Pompompurin, an admin of breach Forums affiliated with Black Basta. The leaked chats revealed that BlackBasta administrator Oleg Nefedov boasted about contacting a high-level Russian official who secured his release from Armenia:

"We leveraged high-level connections to ensure my swift release after my arrest," as shared by Nefedov, Claire Aird reported at [25:40].

These cases emphasize the judiciary's commitment to imposing appropriate penalties on cybercriminals, signaling reduced tolerance for cyber offenses.

11. GitHub Action Supply Chain Attack

Attack Scope Smaller Than Initially Feared

The Changed Files GitHub Action suffered a supply chain attack that compromised approximately 600 repositories, leaking secrets from 218 rather than the initially feared 23,000.

• Attack Mechanism: Malicious code was injected into the action, exposing secrets in build logs.
• Impact Assessment: Endor Labs clarified that only a small percentage of users executed the malicious file.
• Compromise Source: Wiz attributes the breach to a hack of another GitHub action software company.

"While any breach is concerning, the actual impact was contained and mitigated swiftly," Claire Aird noted at [28:10].

This incident highlights the vulnerabilities inherent in supply chain software components and the importance of rapid response mechanisms.

12. Veeam Addresses Critical Vulnerability

Remote Code Execution Flaw Fixed

Veeam has patched a severe remote code execution (RCE) vulnerability in its widely used backup and replication server:

• Vulnerability Details: The flaw involved deserialization and carried a severity score of 9.9 out of 10.
• Response: Veeam acted promptly to secure its systems and protect users from potential exploitation.

"Securing our platforms is paramount, and we have implemented necessary fixes to address the RCE vulnerability," a Veeam representative stated at [30:55].

The quick mitigation efforts demonstrate Veeam's dedication to maintaining the security and reliability of its services.

13. Dollyway Botnet Compromises WordPress Sites

GoDaddy Identifies 20,000 Compromised Websites

GoDaddy has identified the Dollyway botnet, active since 2016, which has compromised over 20,000 WordPress sites:

• Botnet Activities: The botnet redirects users to online scams and fraudulent browser updates.
• Operational Tactics: Operators update compromised sites with security patches to remove competing malware, maintaining control over the infections.

"The persistence and adaptability of the Dollyway botnet present ongoing challenges for website security," Claire Aird explained at [33:30].

This botnet exemplifies the enduring threats posed by sophisticated malware networks targeting popular content management systems.

14. Google Enhances Chrome Security with New Font Engine

Introduction of the Srifare Engine Written in Rust

Google has implemented a new font rendering engine, Srifare, written in Rust, to replace FreeType in Chrome. This upgrade aims to bolster browser security across various platforms:

• Deployment: The Srifare engine is now active on Android, Linux, and Chrome OS, as well as on Windows and macOS.
• Functionality: Font rendering will primarily be managed by the operating system, with Srifare serving as a fallback for unknown fonts.
• Future Plans: Google plans to gradually transition Chrome's C codebase to Rust to leverage Rust's security advantages.

"By adopting Rust for our font engine and transitioning more code to this secure language, we are significantly enhancing Chrome's resilience against vulnerabilities," Claire Aird reported at [36:00].

This strategic move reflects Google's proactive approach to integrating more secure programming languages to safeguard its software infrastructure.

Conclusion

The March 21 episode of Risky Bulletin provided a thorough examination of critical cybersecurity events shaping the global landscape. From hacktivist sabotage of Iranian maritime operations to evolving state-sponsored cyber units and significant data breaches, the discussions underscored the escalating complexity and severity of cyber threats. Furthermore, legislative advancements and proactive security measures highlighted ongoing efforts to strengthen defenses against these pervasive challenges. As cyber threats continue to evolve, such insightful analyses remain essential for understanding and navigating the intricate world of cybersecurity.

This summary was prepared based on the transcript provided and aims to encapsulate the key points discussed in the episode for those who have not listened.