Risky Bulletin: New APT Group Turns Out to Be a Phishing Test

Podcast: Risky Bulletin (Risky Biz)
Date: September 8, 2025
Host/Reader: Claire Aird
Producer: Catalyn Kim Panu

Episode Overview

This episode of the Risky Bulletin delivers a rapid-fire roundup of the week’s most significant cybersecurity stories globally. Major topics include revelations about a bogus APT group, high-profile data breaches, international cyber policy developments, regulatory actions, and new industry mandates. The show maintains a direct, newsy tone, focusing on accurate reporting and key takeaways for cybersecurity professionals.

Key Discussion Points & Insights

1. False APT Alert: "Noisy Bear" Phishing Test (00:05)

• Summary: What was reported as a Russian APT group attack ("Noisy Bear") on Kazakhstan's state oil & gas company was in fact an internal phishing awareness campaign, not a state-backed threat.
• Quote: “Kazmoune Gas confirmed that the attacks were actually part of a planned phishing training campaign from May.” (A, 00:11)

2. Qantas Breach: Executive Financial Repercussions (00:21)

• Summary: The Australian airline Qantas reduced executive bonuses by 15% in response to their July data breach, impacting the CEO and five executives, with over $500,000 cut from short-term incentives.
• Quote: “CEO Vanessa Hudson and five executives will lose a total of more than $500,000 in short term bonuses.” (A, 00:24)

3. Wealthsimple Data Theft from Third-Party Compromise (00:29)

• Summary: Canadian investment platform Wealthsimple suffered a breach after attackers exploited a vulnerable third-party software package, compromising data for about 280,000 users (less than 1% of customers).
• Quote: “The attackers allegedly compromised a software package from a trusted third party... that equates to about 280,000 users.” (A, 00:34)

4. Salesloft Breach via GitHub, Widespread Impacts (00:38)

• Summary: A successful compromise of Salesloft’s GitHub account led to months-long reconnaissance and data exfiltration, with OAuth tokens stolen and lateral movement into client environments. Victims include Elastic Sales, Cyberark, and BeyondTrust.
• Quote: “The hackers gained access, exfiltrated data and carried out reconnaissance for three months.” (A, 00:42)

5. Widespread Malicious GitHub Action (00:49)

• Summary: Over 800 public repositories and 320+ GitHub accounts compromised via a malicious action that exfiltrated credentials; over 3,300 secrets stolen.
• Quote: “It gathered secrets and tokens and sent them to a remote server, according to Git Guardian.” (A, 00:51)

6. Hacktivist Attack on Belarus Steelworks (00:56)

• Summary: The Cyber Partisans hacktivist group defaced the Belarus BMZ steelworks’ website, alleging its production of artillery shells for Russia.
• Quote: “The group defaced the BMZ website with images of anti government protests.” (A, 00:59)

7. US Cyber Command and NSA Leadership Update (01:04)

• Summary: Lieutenant General William Hartman is expected to formally assume command of both Cyber Command and the NSA, following broad US government support.
• Quote: “General Hartman has secured support from the White House, the Pentagon and the Office of the director of National Intelligence.” (A, 01:08)

8. APT41’s Trade Talks Phishing as “John Moolinar” (01:13)

• Summary: Chinese APT41 impersonated US Rep. John Mollinar to target US trade groups, legal firms, and government agencies during trade talks.
• Quote: “APT41 ran phishing campaigns using the name of Congressman John Moulinar.” (A, 01:15)

9. Nepal Blocks 26 Major Social Media Sites (01:20)

• Summary: Nepal’s government blocked unregistered social platforms, including Facebook, WhatsApp, YouTube, and Reddit, while previously compliant Telegram and TikTok escaped the ban.
• Quote: “The banned sites include Facebook, WhatsApp, YouTube and Reddit. Telegram and TikTok escaped the ban this time.” (A, 01:22)

10. Russian Internet Blackout Exemptions (01:28)

• Summary: Russia published a whitelist of apps and services—mainly banks, delivery services, and domestic social networks—exempt from future shutdowns amid attempts to curb Ukrainian drone operations.
• Quote: “The list includes apps and websites for local Russian banks, delivery services, taxi networks and supermarkets.” (A, 01:31)

11. EU Fines Google and Threatens Breakup (01:37)

• Summary: The EU fined Google €2.95 billion over online ad monopolies and floated the idea of breaking up its ad business. The US threatened retaliatory trade sanctions.
• Quote: “EU officials have suggested that a divestment of Google's ad business would be the only way to counter the company's conflict of interest.” (A, 01:41)

12. Google Data Collection Lawsuit (01:45)

• Summary: Google was ordered to pay $425 million in a class action for covertly collecting user activity data, though the jury found no malice—less than $31 billion sought by plaintiffs.
• Quote: “Google had ignored a privacy setting and collected activity data from users smartphones... for more than eight years.” (A, 01:48)

13. Russian InfoOps Hit Moldova’s Election (01:52)

• Summary: At least four Russian influence groups target Moldova’s pro-EU government ahead of parliamentary elections with disinformation and AI-generated fake news.
• Quote: “The campaigns include social media activity, AI generated content and fake news stories.” (A, 01:56)

14. Pakistan’s Largest Influence Campaign Exposed (02:02)

• Summary: The group “Team 64” operates Pakistan's biggest influence operation, known as Kyber Defender, tracked by Recorded Future.
• Quote: “Its online activities are tracked under the codename of Kyber Defender. According to Recorded Future, the group is Pakistan's largest online influence operation.” (A, 02:07)

15. SAP S4 HANA Exploit and Infection in the Wild (02:12)

• Summary: A SAP S4 HANA code injection vulnerability (severity 9.9/10) observed in active exploits; patch released last month.
• Quote: “They target a code injection vulnerability in the enterprise resource planning platform. The bug has a severity rating of 9.9 and was patched last month.” (A, 02:15)

16. Critical Argo CD Flaw Patched (02:18)

• Summary: The Argo CD platform patched a critical bug which let low-privileged API users extract Git repo credentials from CI/CD pipelines (severity 9.9/10).
• Quote: “Allowed Argo users with low level API tokens to extract the credentials of any Git repository integrated in the Argo CI CD pipeline.” (A, 02:20)

17. Cyber Insurance Market Stagnation (02:24)

• Summary: Cyber insurance costs holding steady for large firms; limited uptake among small businesses, due to high insurer competition.
• Quote: “Rates have remained the same due to increased competition among insurers, according to insurance provider Swiss Revenue.” (A, 02:26)

18. MFA to Become Mandatory for Microsoft Asia Tenants (02:30)

• Summary: Microsoft is enforcing mandatory MFA for Asia administrator accounts beginning October 2025, following bulk enrollment in March.
• Quote: “It will become a requirement in October. The company announced its plans for mandatory MFA in 2024.” (A, 02:34)

19. Roblox to Age-Verify Chat Users (02:38)

• Summary: Roblox will soon require voice/text chat users to complete age verification using facial estimation, ID checks, and parental consent to limit adult-child communication.
• Quote: “This system will use a combination of facial age estimation, ID checks and parental consent to verify users ages.” (A, 02:41)

20. Anthropic Bans AI Sales to Chinese-Owned Firms (02:47)

• Summary: AI company Anthropic halts sales to Chinese majority-owned businesses to prevent abuse by China's military and intelligence agencies, risking “hundreds of millions” in revenue loss.
• Quote: “Anthropic expects to lose hundreds of millions of dollars in revenue, according to the Financial Times.” (A, 02:51)

Notable Quotes & Memorable Moments

• On false positives in threat intelligence:
  “Kazmoune Gas confirmed that the attacks were actually part of a planned phishing training campaign from May.” (A, 00:11)

• On the financial costs of breaches:
  “CEO Vanessa Hudson and five executives will lose a total of more than $500,000 in short term bonuses.” (A, 00:24)

• On persistent third-party risk:
  “The attackers allegedly compromised a software package from a trusted third party... that equates to about 280,000 users.” (A, 00:34)

• On strategic cyber defense pivots:
  “The list includes apps and websites for local Russian banks, delivery services, taxi networks and supermarkets. ... The Kremlin's been increasingly shutting down mobile networks to disrupt Ukrainian drones crossing its territory.” (A, 01:31)

• On regulatory escalation:
  “EU officials have suggested that a divestment of Google's ad business would be the only way to counter the company's conflict of interest.” (A, 01:41)

• On industry tradeoffs in security vs. business:
  “Anthropic expects to lose hundreds of millions of dollars in revenue, according to the Financial Times.” (A, 02:51)

Timeline of Major Segments

| Time | Topic | |-----------|-------------------------------------------------------------------| | 00:04 | Opening headlines & APT phishing test revelation | | 00:21 | Qantas breach fallout | | 00:29 | Wealthsimple data theft | | 00:38 | Salesloft GitHub compromise | | 00:49 | Malicious GitHub action campaign | | 00:56 | Belarus steelworks hacked | | 01:04 | US Cyber Command/NSA leadership change | | 01:13 | Chinese APT41 targets US trade talks | | 01:20 | Nepal’s social media bans | | 01:28 | Russia’s Internet resilience lists | | 01:37 | EU fines and possible Google ad breakup | | 01:45 | Google data collection lawsuit | | 01:52 | Russian interference in Moldova | | 02:02 | Pakistan’s influence campaign tracked | | 02:12 | SAP S4 HANA & Argo CD critical bugs | | 02:24 | Cyber insurance market trends | | 02:30 | MFA requirements for Microsoft Asia | | 02:38 | Roblox chat age verification | | 02:47 | Anthropic bans China-linked clients |

For more news and updates, visit risky.biz.