Risky Bulletin: Major CISA Leadership Exodus Underway

Episode Release Date: May 26, 2025
Host: Caitlin Sorey
Prepared by: Catalyn Campano

1. Significant Leadership Departures at CISA

In a major shakeup, several high-ranking officials are set to depart from the Cybersecurity and Infrastructure Security Agency (CISA) by the end of May. Caitlin Sorey reports, “Several high ranking officials will leave the US Cybersecurity and Infrastructure Security Agency at the end of May” [00:00].

An internal memo, obtained by the Washington Post, reveals that the heads of three of CISA’s six divisions—Cybersecurity, Infrastructure Security, and Integrated Operations—will be exiting. Additionally, the deputy of a fourth division is also leaving. Beyond the top levels, regional leaders and key officers responsible for finance, strategy, human resources, and contracting are among those departing. This exodus marks a significant transition within the agency, potentially impacting its strategic direction and operational effectiveness.

2. Government Audit Targets NIST's Vulnerability Management

The National Institute of Standards and Technology (NIST) is under scrutiny as the US Government announces an audit over its management of the National Vulnerability Database (NVD). “The US Government will audit the National Institute of Standards and Technologies over its management of the National Vulnerability Database” [00:00], explains Sorey.

The audit, conducted by the US Department of Commerce's Office of Inspector General, aims to evaluate NIST's processes for handling NVD submissions, especially after the agency grappled with a substantial backlog last year. This evaluation seeks to ensure that vulnerability reporting and management practices meet the necessary standards and timelines to safeguard national cybersecurity interests.

3. Vietnam Enforces Telegram Ban Amid Security Concerns

The Vietnamese government has taken decisive action by mandating local telecom companies to block access to the Telegram instant messenger. “The Vietnamese government has ordered local telecom companies to block access to the Telegram instant messenger” [00:00], notes Sorey.

Officials cited Telegram’s failure to comply with law enforcement requests in cases involving fraud, drug trafficking, and terrorism as the primary reason for the ban, which is set to take effect in June. Telegram responded to Reuters, stating, “We were surprised by the decision,” highlighting the company's unexpected position regarding the enforcement action.

4. Spanish Government Linked to Cyber Espionage Group Careto

Caitlin Sorey highlights the involvement of the Spanish government in cyber espionage activities through the group Careto. “The Spanish government is behind a cyber espionage group known as Careto” [00:00].

Active since at least 2007, Careto has operated sporadically, primarily targeting Spain's neighbors and other Spanish-speaking nations. According to Kaspersky, as discussed in an interview with TechCrunch, Careto is “very small compared to Lazarus and APT41, but far more sophisticated.” This distinction underscores Careto’s advanced capabilities despite its limited size, posing a significant threat in the realm of state-sponsored cyber activities.

5. Chinese Cyber Espionage Group Silk Typhoon Targets Commvault and US Treasury

The Chinese cyber espionage group Silk Typhoon has been active in infiltrating critical infrastructures. Recently, the group hacked Commvault, a backup software company, by compromising its Azure servers in February. According to CISA, this intrusion is part of a broader campaign targeting SAS providers.

Additionally, Silk Typhoon previously breached the US Treasury Department late last year, indicating the group's sustained efforts to penetrate high-value government targets. These actions demonstrate Silk Typhoon’s ongoing strategy to access sensitive information within pivotal institutions.

6. Belgian Authorities Pursue Ransomware Developers from Russia

Belgian prosecutors are seeking severe penalties for individuals involved in the development and distribution of the Krylock ransomware. “Belgian authorities are seeking 13 years imprisonment for the Russian man accused of developing the Krylock ransomware” [00:00], reports Sorey.

The accused man, along with a woman who advertised the ransomware online and negotiated with victims, are believed to have infected over 400 users and amassed more than 3 million euros through their malicious activities. Detained in Spain in 2023, the pair has been extradited to Belgium, where the court is expected to render a verdict in late June.

7. Russian Programmer Sentenced for Data Breach to Ukrainian Intelligence

In a notable case of cyber-related treason, Russian authorities have sentenced a 37-year-old programmer to 14 years in prison. “Russian authorities have sentenced a man to 14 years in prison for uploading Russian's personal data to a Telegram channel managed by Ukrainian intelligence” [00:00], states Sorey.

The convicted individual worked at a hospital in Russia's Arkhinsk region and unlawfully disseminated personal information, including details of Russian military personnel, to a channel controlled by Ukrainian intelligence, resulting in charges of high treason.

8. Romanian Nationals Arrested in Australia for ATM Skimming

Two Romanian nationals have been apprehended in Australia on charges of installing skimming devices on ATMs. “Two Romanian nationals have been arrested in Australia for installing skimming devices and ATMs” [00:00], explains Sorey.

Operating in Sydney and the Illawarra region, the duo allegedly cloned bank cards using the stolen data, extracting over 800,000 Australian dollars from unsuspecting victims. Law enforcement agencies conducted the investigation over a month, responding to numerous reports of tampered ATMs. Due to challenges in physically seizing the group's infrastructure, authorities resorted to hacking Loomasteela's servers to gather evidence.

9. FBI’s Tactics Against Loomasteela Operation

The FBI has employed innovative methods to combat the Loomasteela cybercriminal group. Sorey reports, “Officials have been investigating the pair for a month after banks reported ATMs being tampered with. Law enforcement agencies reportedly hacked Loomasteela's servers because they couldn't physically seize the group's infrastructure” [00:00].

In a Telegram post, Loomasteela administrators claimed that the FBI exploited a vulnerability in Dell's IDRAC Lights Out management system to collect data and wipe their backup servers. Additionally, the post alleged that law enforcement deployed a phishing page on Loomasteela's portal to harvest customer data. These actions purportedly occurred a week before authorities successfully dismantled the Lumasteela operation.

10. Silent Data Extortion Group’s Phone Phishing Campaign

The Silent Data Extortion group has been actively targeting US companies through sophisticated phone phishing attacks for the past two years. “The silent Data Extortion group has been targeting US Companies with phone phishing attacks for two years” [00:00], states Sorey.

Their modus operandi involves callers posing as representatives from the company’s IT department, tricking employees into inadvertently downloading malware. This approach has primarily affected US law firms, potentially compromising sensitive legal information and client data.

11. Surge in SVG-Based Phishing Attacks

A noticeable increase in the abuse of the SVG (Scalable Vector Graphics) image format for phishing has been observed by over a dozen security firms. “A recent surge in abusing the SVG image format has been noted by more than a dozen security firms” [00:00], reports Sorey.

Sublime Security highlighted that SVG-based attacks constituted about 1% of all phishing attempts they monitored in the last six months. The SVG format's proximity to full-featured web pages makes it an attractive vector for malicious actors to craft convincing phishing lures.

12. Russia Deploys Mobile Signal Jammers in Educational Institutions

In an effort to curb cheating during examinations, Russian authorities have installed over 11,000 mobile signal jammers in schools. “Russian authorities deployed more than 11,000 mobile signal jammers in schools to prevent students from cheating during exams” [00:00], elaborates Sorey.

These jammers are strategically placed in exam rooms and some bathrooms, effectively blocking phone signals and preventing students from using hidden wireless earpieces. This measure reflects Russia's stringent approach to maintaining examination integrity through technological enforcement.

This summary encapsulates the key discussions and insights from the May 26, 2025 episode of Risky Bulletin, providing a comprehensive overview of the latest developments in cybersecurity and related fields.