Summary7 min read

Risky Bulletin: New APT Group Turns Out to Be a Phishing Test

Podcast: Risky Bulletin (Risky Biz)
Date: September 8, 2025
Host/Reader: Claire Aird
Producer: Catalyn Kim Panu

Episode Overview

This episode of the Risky Bulletin delivers a rapid-fire roundup of the week’s most significant cybersecurity stories globally. Major topics include revelations about a bogus APT group, high-profile data breaches, international cyber policy developments, regulatory actions, and new industry mandates. The show maintains a direct, newsy tone, focusing on accurate reporting and key takeaways for cybersecurity professionals.

Key Discussion Points & Insights

1. False APT Alert: "Noisy Bear" Phishing Test (00:05)

Summary: What was reported as a Russian APT group attack ("Noisy Bear") on Kazakhstan's state oil & gas company was in fact an internal phishing awareness campaign, not a state-backed threat.
Quote: “Kazmoune Gas confirmed that the attacks were actually part of a planned phishing training campaign from May.” (A, 00:11)

2. Qantas Breach: Executive Financial Repercussions (00:21)

Summary: The Australian airline Qantas reduced executive bonuses by 15% in response to their July data breach, impacting the CEO and five executives, with over $500,000 cut from short-term incentives.
Quote: “CEO Vanessa Hudson and five executives will lose a total of more than $500,000 in short term bonuses.” (A, 00:24)

3. Wealthsimple Data Theft from Third-Party Compromise (00:29)

Summary: Canadian investment platform Wealthsimple suffered a breach after attackers exploited a vulnerable third-party software package, compromising data for about 280,000 users (less than 1% of customers).
Quote: “The attackers allegedly compromised a software package from a trusted third party... that equates to about 280,000 users.” (A, 00:34)

4. Salesloft Breach via GitHub, Widespread Impacts (00:38)

Summary: A successful compromise of Salesloft’s GitHub account led to months-long reconnaissance and data exfiltration, with OAuth tokens stolen and lateral movement into client environments. Victims include Elastic Sales, Cyberark, and BeyondTrust.
Quote: “The hackers gained access, exfiltrated data and carried out reconnaissance for three months.” (A, 00:42)

5. Widespread Malicious GitHub Action (00:49)

Summary: Over 800 public repositories and 320+ GitHub accounts compromised via a malicious action that exfiltrated credentials; over 3,300 secrets stolen.
Quote: “It gathered secrets and tokens and sent them to a remote server, according to Git Guardian.” (A, 00:51)

6. Hacktivist Attack on Belarus Steelworks (00:56)

Summary: The Cyber Partisans hacktivist group defaced the Belarus BMZ steelworks’ website, alleging its production of artillery shells for Russia.
Quote: “The group defaced the BMZ website with images of anti government protests.” (A, 00:59)

7. US Cyber Command and NSA Leadership Update (01:04)

Summary: Lieutenant General William Hartman is expected to formally assume command of both Cyber Command and the NSA, following broad US government support.
Quote: “General Hartman has secured support from the White House, the Pentagon and the Office of the director of National Intelligence.” (A, 01:08)

8. APT41’s Trade Talks Phishing as “John Moolinar” (01:13)

Summary: Chinese APT41 impersonated US Rep. John Mollinar to target US trade groups, legal firms, and government agencies during trade talks.
Quote: “APT41 ran phishing campaigns using the name of Congressman John Moulinar.” (A, 01:15)

9. Nepal Blocks 26 Major Social Media Sites (01:20)

Summary: Nepal’s government blocked unregistered social platforms, including Facebook, WhatsApp, YouTube, and Reddit, while previously compliant Telegram and TikTok escaped the ban.
Quote: “The banned sites include Facebook, WhatsApp, YouTube and Reddit. Telegram and TikTok escaped the ban this time.” (A, 01:22)

10. Russian Internet Blackout Exemptions (01:28)

Summary: Russia published a whitelist of apps and services—mainly banks, delivery services, and domestic social networks—exempt from future shutdowns amid attempts to curb Ukrainian drone operations.
Quote: “The list includes apps and websites for local Russian banks, delivery services, taxi networks and supermarkets.” (A, 01:31)

11. EU Fines Google and Threatens Breakup (01:37)

Summary: The EU fined Google €2.95 billion over online ad monopolies and floated the idea of breaking up its ad business. The US threatened retaliatory trade sanctions.
Quote: “EU officials have suggested that a divestment of Google's ad business would be the only way to counter the company's conflict of interest.” (A, 01:41)

12. Google Data Collection Lawsuit (01:45)

Summary: Google was ordered to pay $425 million in a class action for covertly collecting user activity data, though the jury found no malice—less than $31 billion sought by plaintiffs.
Quote: “Google had ignored a privacy setting and collected activity data from users smartphones... for more than eight years.” (A, 01:48)

13. Russian InfoOps Hit Moldova’s Election (01:52)

Summary: At least four Russian influence groups target Moldova’s pro-EU government ahead of parliamentary elections with disinformation and AI-generated fake news.
Quote: “The campaigns include social media activity, AI generated content and fake news stories.” (A, 01:56)

14. Pakistan’s Largest Influence Campaign Exposed (02:02)

Summary: The group “Team 64” operates Pakistan's biggest influence operation, known as Kyber Defender, tracked by Recorded Future.
Quote: “Its online activities are tracked under the codename of Kyber Defender. According to Recorded Future, the group is Pakistan's largest online influence operation.” (A, 02:07)

15. SAP S4 HANA Exploit and Infection in the Wild (02:12)

Summary: A SAP S4 HANA code injection vulnerability (severity 9.9/10) observed in active exploits; patch released last month.
Quote: “They target a code injection vulnerability in the enterprise resource planning platform. The bug has a severity rating of 9.9 and was patched last month.” (A, 02:15)

16. Critical Argo CD Flaw Patched (02:18)

Summary: The Argo CD platform patched a critical bug which let low-privileged API users extract Git repo credentials from CI/CD pipelines (severity 9.9/10).
Quote: “Allowed Argo users with low level API tokens to extract the credentials of any Git repository integrated in the Argo CI CD pipeline.” (A, 02:20)

17. Cyber Insurance Market Stagnation (02:24)

Summary: Cyber insurance costs holding steady for large firms; limited uptake among small businesses, due to high insurer competition.
Quote: “Rates have remained the same due to increased competition among insurers, according to insurance provider Swiss Revenue.” (A, 02:26)

18. MFA to Become Mandatory for Microsoft Asia Tenants (02:30)

Summary: Microsoft is enforcing mandatory MFA for Asia administrator accounts beginning October 2025, following bulk enrollment in March.
Quote: “It will become a requirement in October. The company announced its plans for mandatory MFA in 2024.” (A, 02:34)

19. Roblox to Age-Verify Chat Users (02:38)

Summary: Roblox will soon require voice/text chat users to complete age verification using facial estimation, ID checks, and parental consent to limit adult-child communication.
Quote: “This system will use a combination of facial age estimation, ID checks and parental consent to verify users ages.” (A, 02:41)

20. Anthropic Bans AI Sales to Chinese-Owned Firms (02:47)

Summary: AI company Anthropic halts sales to Chinese majority-owned businesses to prevent abuse by China's military and intelligence agencies, risking “hundreds of millions” in revenue loss.
Quote: “Anthropic expects to lose hundreds of millions of dollars in revenue, according to the Financial Times.” (A, 02:51)

Notable Quotes & Memorable Moments

On false positives in threat intelligence:
“Kazmoune Gas confirmed that the attacks were actually part of a planned phishing training campaign from May.” (A, 00:11)
On the financial costs of breaches:
“CEO Vanessa Hudson and five executives will lose a total of more than $500,000 in short term bonuses.” (A, 00:24)
On persistent third-party risk:
“The attackers allegedly compromised a software package from a trusted third party... that equates to about 280,000 users.” (A, 00:34)
On strategic cyber defense pivots:
“The list includes apps and websites for local Russian banks, delivery services, taxi networks and supermarkets. ... The Kremlin's been increasingly shutting down mobile networks to disrupt Ukrainian drones crossing its territory.” (A, 01:31)
On regulatory escalation:
“EU officials have suggested that a divestment of Google's ad business would be the only way to counter the company's conflict of interest.” (A, 01:41)
On industry tradeoffs in security vs. business:
“Anthropic expects to lose hundreds of millions of dollars in revenue, according to the Financial Times.” (A, 02:51)

Timeline of Major Segments

| Time | Topic | |-----------|-------------------------------------------------------------------| | 00:04 | Opening headlines & APT phishing test revelation | | 00:21 | Qantas breach fallout | | 00:29 | Wealthsimple data theft | | 00:38 | Salesloft GitHub compromise | | 00:49 | Malicious GitHub action campaign | | 00:56 | Belarus steelworks hacked | | 01:04 | US Cyber Command/NSA leadership change | | 01:13 | Chinese APT41 targets US trade talks | | 01:20 | Nepal’s social media bans | | 01:28 | Russia’s Internet resilience lists | | 01:37 | EU fines and possible Google ad breakup | | 01:45 | Google data collection lawsuit | | 01:52 | Russian interference in Moldova | | 02:02 | Pakistan’s influence campaign tracked | | 02:12 | SAP S4 HANA & Argo CD critical bugs | | 02:24 | Cyber insurance market trends | | 02:30 | MFA requirements for Microsoft Asia | | 02:38 | Roblox chat age verification | | 02:47 | Anthropic bans China-linked clients |

For more news and updates, visit risky.biz.

Loading summary

Transcript1 lines

[00:04]
A
A new APT group turns out to be a phishing test Qantas cuts executive bonuses after a recent breach, anthropics stops selling AI tools to Chinese firms and Nepal blocks 26 social media sites. This is the Risky Bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 8th of September and this podcast episode is brought to you by Trail of Bits. Recent reports of a new Russian APT group turned out to be a phishing test. Last week, Indian security firm Sekrite claimed that a suspected Russian group named Noisy Bear had targeted Kazakhstan's state owned oil and gas company. Kazmoune Gas confirmed that the attacks were actually part of a planned phishing training campaign from May. Australian airline Qantas has cut executive bonuses by 15% following a recent security breach. CEO Vanessa Hudson and five executives will lose a total of more than $500,000 in short term bonuses. The airline disclosed the security breach in July. Hackers have stolen customer data from Canadian online investment platform wealthsimple. The attackers allegedly compromised a software package from a trusted third party. Wealthsimple says the hackers stole data from less than 1% of its customers, based on the company's latest numbers. The that equates to about 280,000 users. The recent breach at Salesloft began with a compromise of the company's GitHub account in March, according to the latest investigation update. The hackers gained access, exfiltrated data and carried out reconnaissance for three months. The hackers stole OAuth tokens for SalesLoft customers in June and started pivoting to their respective networks at the end of August. The list of companies affected by the breach now includes Elastic Sales, Cyberark and Beyond trust. A malicious GitHub action has been deployed in more than 800 GitHub repositories. It gathered secrets and tokens and sent them to a remote server, according to Git Guardian. The attackers compromised more than 320 GitHub accounts and stole over 3,300 secrets. The largest steelworks in Belarus has been breached by the Cyber Partisans hacktivist group. The group defaced the BMZ website with images of anti government protests. The cyber partisan said the steelworks is producing shells for the Russian army. Army lieutenant general William Hartman is expected to be named the next head of Cyber Command and the nsa. He's been acting head since April, when the White House dismissed Air Force general Timothy Hawg, according to Politico. General Hartman has secured support from the White House, the Pentagon and the Office of the director of National Intelligence. A Chinese cyber espionage group impersonated a US lawmaker during recent trade talks between the two countries. APT41 ran phishing campaigns using the name of Congressman John Moulinar. He is the chairman of the House Select Committee on the Chinese Communist Party. According to the Wall Street Journal, the campaign targeted trade groups, law firms and US government agencies. Nepal's Internet watchdog has blocked 26 social media websites for failing to register with the government. The the banned sites include Facebook, WhatsApp, YouTube and Reddit. Telegram and TikTok escaped the ban. This time they had already registered after being banned in previous years. The Russian government has published a list of local apps and services that will be exempt from future Internet blackouts. The list includes apps and websites for local Russian banks, delivery services, taxi networks and supermarkets. It also includes the Max national messenger, rootube and Russian social media sites. The Kremlin's been increasingly shutting down mobile networks to disrupt Ukrainian drones crossing its territory. The European Union has fined Google 2.95 billion euros over anti competitive practices in online advertising. EU officials have suggested that a divestment of Google's ad business would be the only way to counter the company's conflict of interest. Following the fine announcement, the Trump administration threatened the EU with fresh trade sanctions. Meantime, Google has been ordered to pay $425 million in damages following a class action lawsuit. The jury found that Google had ignored a privacy setting and collected activity data from users smartphones. The data was collected for more than eight years. Plaintiffs asked for $31 billion in damages, but the jury ruled that Google did not act with malice. Russia's online influence operations are targeting the upcoming Moldovan parliamentary elections, according to recorded Future. At least four of Russia's largest influence groups are attacking Moldova's pro EU president and parties. The campaigns include social media activity, AI generated content and fake news stories. Moldova's elections are scheduled for September 28th. A Pakistan pro online influence operation has been linked to a local company, Team 64. The firm operates out of Pakistan's Khyber Pakhtanwa province. Its online activities are tracked under the codename of Kyber Defender. According to Recorded Future, the group is Pakistan's largest online influence operation. A recently patched SAP S4 HANA vulnerability is being exploited in the wild. The attacks were discovered by security firm Security Bridge last week. They target a code injection vulnerability in the enterprise resource planning platform. The bug has a severity rating of 9.9 and was patched last month. The Argo CD Kubernetes management platform has patched a critical vulnerability. The bug allowed Argo users with low level API tokens to extract the credentials of any Git repository integrated in the Argo CI CD pipeline. The bug has a 9.9 severity rating. The cost of cyber insurance has remained static for the third consecutive year. Rates have remained the same due to increased competition among insurers, according to insurance provider Swiss Revenue. Large corporations are the primary customers, while cyber insurance remains unpopular with small businesses. Multi factor authentication will become mandatory for administrative access to Asia. Microsoft says it enrolled 100% of Asia tenants into an MFA solution in March this year. It will become a requirement in October. The company announced its plans for mandatory MFA in 2024. Online video game Roblox will verify the age of anyone using its voice and text chat features. The new age checks are scheduled to be in place by the end of the year. This system will use a combination of facial age estimation, ID checks and parental consent to verify users ages. The company aims to limit communications between adult and child accounts. And finally, Anthropic has stopped selling its AI tools to companies with a majority Chinese ownership China. The company wants to prevent its tools from being abused for Chinese military and intelligence purposes. Anthropic expects to lose hundreds of millions of dollars in revenue, according to the Financial Times. And that is all for this podcast edition. Today's show was brought to you by our sponsor Trail of Bits. Find them@trailofbits.com thanks for your company.