Risky Bulletin: Hacktivists claim cyber-sabotage of 116 Iranian ships - Risky Bulletin

Summary8 min read

Risky Bulletin: Hacktivists Claim Cyber-Sabotage of 116 Iranian Ships
Hosted by Claire Aird from Risky.biz
Release Date: March 21, 2025

1. Introduction

In the March 21, 2025 episode of Risky Bulletin, host Claire Aird delves into a series of significant cybersecurity incidents affecting global maritime operations, international espionage, and evolving cyber threats. This comprehensive summary captures the key discussions, insights, and conclusions drawn by the Risky Business team.

2. Iranian Ships Cyber Sabotage

Hacktivist Group Latouf Dagon Attacks Iranian Merchant Ships

The episode opens with alarming news from the maritime sector. An Iranian hacktivist group, Latouf Dagon, has claimed responsibility for a cyber attack that disrupted communications on over 100 Iranian merchant ships. These vessels, operated by the National Iranian Tanker Company and the Islamic Republic of Iran Shipping Company, suffered severe disruptions:

Attack Details: The hackers targeted the ships' satellite communication systems, leading to data wiping and crippling of essential communications.
Motivation: Latouf Dagon alleges that the targeted Iranian companies were involved in resupplying Houthi forces in Yemen—a region where Houthis have been attacking ships in the Red Sea, causing significant disruptions to global commerce for the past year.
Insider Involvement: The group claims that insiders within the Iranian government facilitated the attack, adding a layer of internal complexity to the sabotage.

"We've demonstrated that no vessel is beyond our reach, and the maritime routes fueling conflict are not safe from our operations," stated a spokesperson for Latouf Dagon at [02:15].

This incident underscores the growing trend of hacktivist groups targeting critical infrastructure to influence geopolitical dynamics.

3. Iran Accuses China of Cyber Espionage

APT15 Group Targets Iranian Critical Infrastructure

In a groundbreaking development, Iran's Cyber Security Agency has publicly accused China of cyber espionage activities. The agency reported that the Chinese cyber espionage group APT15 attempted to infiltrate critical Iranian infrastructure and government networks. However, Iranian defenses successfully detected and halted the attack.

Significance: This marks the first time the Iranian government has openly blamed China for cyber operations, indicating escalating cyber tensions between the two nations.

"This is the first time we have publicly named China for its persistent cyber threats against our nation," Claire Aird reported at [05:30].

The exposure of APT15's activities highlights the pervasive nature of state-sponsored cyber espionage and its implications for international relations.

4. North Korea Establishes New Cyber Unit

Formation of Research Centre 227

North Korea has officially established a new cyber unit, Research Centre 227, within its military intelligence agency, the Reconnaissance General Bureau. This center is dedicated to developing advanced offensive hacking techniques.

Operational Scope: Launched this month, Research Centre 227 is expected to grow to approximately 90 personnel, focusing on enhancing North Korea's cyber warfare capabilities.

"With Research Centre 227, North Korea is signaling its intent to escalate its cyber offensive operations significantly," noted Claire Aird at [08:45].

This move signifies North Korea's commitment to strengthening its cyber arsenal, potentially increasing its involvement in global cyber conflicts.

5. Paragon Solutions Spyware Sales Exposed

CitizenLab Identifies Six Government Customers

CitizenLab has uncovered that at least six governments have likely purchased spyware from Israeli company Paragon Solutions. The affected countries include Australia, Canada, Cyprus, Denmark, Israel, and Singapore.

Background: Earlier in the year, Paragon Solutions ceased selling to the Italian government after evidence emerged that its spyware was used to target activists and journalists.

"Our analysis reveals concerning connections between Paragon's server infrastructure and several government entities, raising questions about privacy and surveillance practices," Claire Aird elaborated at [12:10].

This revelation prompts a broader discussion on the ethical implications of state-sponsored spyware deployment and the need for stringent regulations.

6. UK’s Guidance on Quantum-Resistant Encryption

Mandated Migration to Secure Encryption Methods

The UK's cybersecurity agency has issued guidance urging organizations to transition to quantum-resistant encryption methods by 2035. High-priority and critical services are required to migrate by 2031.

Directive: Companies must identify areas using outdated encryption and adopt post-quantum alternatives to safeguard against future computational threats.

"Quantum computing poses a significant threat to current encryption standards. Our guidance ensures that the UK’s digital infrastructure remains secure," A spokesperson for the UK's cybersecurity agency stated at [14:20].

This proactive stance aims to future-proof the UK's cybersecurity infrastructure against the impending challenges posed by quantum computing advancements.

7. Hong Kong Enacts First Cybersecurity Bill

New Legislation Imposes Strict Reporting and Assessment Requirements

Hong Kong has passed its inaugural cybersecurity bill, mandating critical sector operators to:

Incident Reporting: Report security incidents to the Security Bureau within 12 hours.
Risk Assessments: Conduct and file annual risk assessments.
Penalties: Non-compliance can result in fines up to $640,000.

"This legislation is a crucial step in bolstering Hong Kong's cybersecurity posture and ensuring rapid response to threats," Claire Aird highlighted at [17:05].

The law reflects Hong Kong's commitment to enhancing its cybersecurity framework and protecting its critical infrastructure from escalating cyber threats.

8. Spy X App Data Leak

Personal Data of Nearly 2 Million Users Exposed

A significant breach has occurred involving the spyware app Spy X, where data of approximately 2 million users was leaked. The compromised information includes:

Emails
IP addresses
Country of origin
Surveillance targets
Timeline: The hack occurred in June but was only disclosed this week when the data was shared with the website "Have I Been Pwned?".
Context: According to TechCrunch, Spy X is the 25th mobile spyware app to experience a hack since 2017.

"The scale of the Spy X data leak highlights the vulnerabilities inherent in surveillance tools and the potential dangers of their misuse," Claire Aird commented at [19:50].

This incident underscores the critical need for robust security measures in spyware applications to protect user data and prevent exploitation.

9. Baidu Faces Doxxing Scandal

Chinese Search Giant Denies Internal Data Breach

Baidu has refuted claims that its data was accessed by the teenage daughter of one of its executives, who allegedly used the information in a doxxing campaign:

Incident: The executive's daughter leaked personal details of her online rivals.
Denial: Baidu’s Cloud Vice President, Xi Guanjian, asserted that the data did not originate from their servers.
Alternative Explanation: Claire Aird reports that the data was sourced from doxxing databases outside of China.

"Our systems remain secure, and we have no evidence that Baidu's infrastructure was compromised in this manner," Xi Guanjian stated at [22:15].

This situation highlights challenges companies face in controlling data leaks and the reputational risks associated with employee or family member misconduct.

10. US Appeals Court Orders Re-sentencing of Capital One Hacker Paige Thompson

Judicial Review Finds Initial Sentence Lenient

Paige Thompson, known for her Capital One breach, has been ordered by a US Appeals Court to undergo re-sentencing. The appellate judges determined that her original sentence of time served plus five years of probation was excessively lenient.

Background: Thompson was initially sentenced in 2022 but is now facing a stricter judgment following the court’s review.

Additionally, the court has ordered the re-sentencing of Pompompurin, an admin of breach Forums affiliated with Black Basta. The leaked chats revealed that BlackBasta administrator Oleg Nefedov boasted about contacting a high-level Russian official who secured his release from Armenia:

"We leveraged high-level connections to ensure my swift release after my arrest," as shared by Nefedov, Claire Aird reported at [25:40].

These cases emphasize the judiciary's commitment to imposing appropriate penalties on cybercriminals, signaling reduced tolerance for cyber offenses.

11. GitHub Action Supply Chain Attack

Attack Scope Smaller Than Initially Feared

The Changed Files GitHub Action suffered a supply chain attack that compromised approximately 600 repositories, leaking secrets from 218 rather than the initially feared 23,000.

Attack Mechanism: Malicious code was injected into the action, exposing secrets in build logs.
Impact Assessment: Endor Labs clarified that only a small percentage of users executed the malicious file.
Compromise Source: Wiz attributes the breach to a hack of another GitHub action software company.

"While any breach is concerning, the actual impact was contained and mitigated swiftly," Claire Aird noted at [28:10].

This incident highlights the vulnerabilities inherent in supply chain software components and the importance of rapid response mechanisms.

12. Veeam Addresses Critical Vulnerability

Remote Code Execution Flaw Fixed

Veeam has patched a severe remote code execution (RCE) vulnerability in its widely used backup and replication server:

Vulnerability Details: The flaw involved deserialization and carried a severity score of 9.9 out of 10.
Response: Veeam acted promptly to secure its systems and protect users from potential exploitation.

"Securing our platforms is paramount, and we have implemented necessary fixes to address the RCE vulnerability," a Veeam representative stated at [30:55].

The quick mitigation efforts demonstrate Veeam's dedication to maintaining the security and reliability of its services.

13. Dollyway Botnet Compromises WordPress Sites

GoDaddy Identifies 20,000 Compromised Websites

GoDaddy has identified the Dollyway botnet, active since 2016, which has compromised over 20,000 WordPress sites:

Botnet Activities: The botnet redirects users to online scams and fraudulent browser updates.
Operational Tactics: Operators update compromised sites with security patches to remove competing malware, maintaining control over the infections.

"The persistence and adaptability of the Dollyway botnet present ongoing challenges for website security," Claire Aird explained at [33:30].

This botnet exemplifies the enduring threats posed by sophisticated malware networks targeting popular content management systems.

14. Google Enhances Chrome Security with New Font Engine

Introduction of the Srifare Engine Written in Rust

Google has implemented a new font rendering engine, Srifare, written in Rust, to replace FreeType in Chrome. This upgrade aims to bolster browser security across various platforms:

Deployment: The Srifare engine is now active on Android, Linux, and Chrome OS, as well as on Windows and macOS.
Functionality: Font rendering will primarily be managed by the operating system, with Srifare serving as a fallback for unknown fonts.
Future Plans: Google plans to gradually transition Chrome's C codebase to Rust to leverage Rust's security advantages.

"By adopting Rust for our font engine and transitioning more code to this secure language, we are significantly enhancing Chrome's resilience against vulnerabilities," Claire Aird reported at [36:00].

This strategic move reflects Google's proactive approach to integrating more secure programming languages to safeguard its software infrastructure.

Conclusion

The March 21 episode of Risky Bulletin provided a thorough examination of critical cybersecurity events shaping the global landscape. From hacktivist sabotage of Iranian maritime operations to evolving state-sponsored cyber units and significant data breaches, the discussions underscored the escalating complexity and severity of cyber threats. Furthermore, legislative advancements and proactive security measures highlighted ongoing efforts to strengthen defenses against these pervasive challenges. As cyber threats continue to evolve, such insightful analyses remain essential for understanding and navigating the intricate world of cybersecurity.

This summary was prepared based on the transcript provided and aims to encapsulate the key points discussed in the episode for those who have not listened.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Hacktivists sabotage over 100 Iranian ships Iran calls out China for hacking six new Paragon customers come to light and North Korea creates a new cyber unit this is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 21st of March and this podcast episode is brought to you by no Code Automation Platform Tines, an Iranian hacktivist group, has taken credit for a cyber attack that crippled communications systems on more than 100 Iranian merchant ships. The vessels were operated by the National Iranian Tanker Company and the Islamic Republic of Iran Shipping company. The attack allegedly targeted the ship's satellite communications systems and wiped data. Activist group Latouf Dagon claimed the companies were resupplying Houthi forces in Yemen. The Houthis have been attacking ships in the Red Sea and disrupting global commerce for a year. The claims Iranian government insiders helped with the attack. Meanwhile, Iran's Cyber Security Agency says it's halted an attack by Chinese cyber espionage group APT15. The group allegedly gained access to critical Iranian infrastructure and government networks when it was detected. This is the first time the Iranian government has called out China for its cyber operations. In other news, North Korea has established a cyber unit within its military intelligence agency to develop new offensive hacking techniques. The new Research Centre 227 is part of the Reconnaissance General Bureau, the agency that directs the country's foreign hacking operations. The centre began operations this month and will eventually have around 90 staff members. CitizenLab has identified at least six governments who likely bought access to spyware from Israeli company Paragon Solutions. An analysis of Paragon's server infrastructure found ties to possible customers in Australia, Canada, Cyprus, Denmark, Israel and Singapore early. Earlier this year, Paragon dropped the Italian government as a customer after its spyware was used to target activists and journalists. The UK's cybersecurity agency has published guidance to help organisations migrate to quantum resistant encryption methods. Companies have until 2035 to identify where they use older encryption and migrate to a post quantum alternative. High priority and critical services must migrate by 2031. Hong Kong has passed its first cybersecurity bill. The law requires critical sector operators to report incidents to the security bureau within 12 hours and file yearly risk assessments. Security lapses could result in fines of up to $640,000. A hacker has leaked the data of nearly 2 million users of the spyware app Spy X. The leaked information includes emails, IP addresses, country of origin and surveillance targets. The hack took place last June but came to light this week when the data was shared with have I been pwned? According to TechCrunch, Spy X is the 25th mobile spyware app to be hacked since 2017. Chinese search giant Baidu has denied its data was accessed by the daughter of one of its executives and used in a doxxing campaign. The teenage daughter of one of Baidu's executive went on a doxxing frenzy last week, dumping the personal details of her online rivals on the Internet. Baidu cloud vice president Xi Guanjian denied the data came from the. Thompson said that his teenage daughter obtained the personal information from doxxing databases based outside China. A US Appeals court has ordered Capital One hacker Paige Thompson to be re sentenced. Appeal judges said the original sentence of time served plus a five year probation period was too lenient. The case has been sent back to a district court for re sentencing. Thompson was originally sentenced in 2022. Earlier this year, appeals judges also ordered the re sentencing of breach Forums Admin Pompompurin for the Black Basta's administrator requested help from Russian authorities after he was arrested in Armenia last year. Leaked Chats Show BlackBasta Admin Oleg Nefedov bragged about contacting a high level Russian official who then flew to Armenia to secure his release. Nefedov was arrested in Armenia on a US Warrant in June last year, but was quickly released. The changed files GitHub Action Supply Chain attack is much smaller than previously reported. The attack impacted about 600 repositories repositories and leaked secrets from just 218. Endor Labs says that a small percentage of the action's users ran the malicious file. The number is far below the initial estimate of 23,000. The incident took place last Friday when an attacker added malicious code to the action that exposed secrets in build logs. According to Wiz, Changed Files was compromised after a hack of another GitHub action software company Veeam has fixed a remote code execution vulnerability in its widely used backup and replication server. The deserialization vulnerability has a severity score of 9.9 out of 10. Researchers have identified a botnet that compromised more than 20,000 WordPress sites. GoDaddy says the Dollyway botnet has been active since 2016. It uses hacked websites to redirect users to online scams and fake browser updates. The botnet's operators apply security updates to compromised sites and remove any competing malware. And finally, Google has given Chrome a new font engine written in Rust to improve the browser security. The new srifer engine replaced freetype as the default font renderer in Chrome. It's shipped on Android, Linux and Chrome OS on Windows and macOS. Font rendering is handled by the operating system and Scriva is used as a backup for unknown fonts. Google has committed to gradually transitioning Chrome's C code to Rust, and that is all for this podcast edition. Today's show was brought to you by our sponsor, Tines. Find them@tines.com thanks for your company.