Risky Bulletin: Russia spies on local embassies via ISPs - Risky Bulletin

Summary7 min read

Risky Bulletin: Russia Spies on Local Embassies via ISPs
Hosted by risky.biz
Release Date: August 1, 2025

Overview

In the August 1, 2025 episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest developments in the cybersecurity landscape. The episode delves into sophisticated cyber espionage activities, significant legal actions against individuals involved in cybercrimes, threats from major secure messaging platforms, and a series of cyber attacks impacting various sectors globally. This summary encapsulates the key discussions, insights, and conclusions presented throughout the episode.

1. Russian Cyber Espionage Targeting Embassies

Claire Aird opens the episode by highlighting a sophisticated cyber espionage campaign orchestrated by a Russian group known as Turla, affiliated with the FSB intelligence agency.

[00:04] Claire Aird: "A Russian cyber espionage group is tampering with the Internet connections of foreign embassies in Moscow."

Turla has been manipulating the Internet Service Providers (ISPs) to intercept and alter traffic directed at embassies. Utilizing the SORM traffic interception system, the hackers redirect victims to counterfeit Kaspersky antivirus updates. These malicious updates install malware and a root certificate on the embassy staff's devices, enabling sustained surveillance and data exfiltration.

[00:04] Claire Aird: "At local Internet providers, victims are redirected to a fake Kaspersky antivirus update which installs the malware and a root certificate."

Microsoft has attributed these attacks to Turla, emphasizing their long-term activity since at least the previous year.

2. Legal Actions and Personnel Changes in Cybersecurity

The bulletin transitions to significant legal and organizational changes within the cybersecurity and defense sectors.

West Point Revokes Teaching Position:
The Military Academy West Point has been ordered to rescind a teaching offer extended to former CISA Director Jen Easterly. This decision follows online criticisms from right-wing figure Laura Loomer, indicating the intersection of political sentiment and cybersecurity appointments.
Dismissals at the White House:
Earlier in the year, the White House dismissed General Timothy Hawke, former head of the NSA and Cyber Command, along with April Falcon Doss, a former NSA lawyer. These dismissals were influenced by similar online criticisms from certain political factions.

3. Signal's Stance on Encryption Backdoors

Signal, a prominent secure messaging application, has declared its intention to withdraw from the Australian market if compelled to implement encryption backdoors.

[00:04] Claire Aird: "Signal has threatened to leave Australia if the government forces it to backdoor its encryption."

Meredith Whitaker, President of the Signal Foundation, has reiterated this stance, citing previous instances where Signal threatened to exit markets like France, Sweden, and the UK over similar demands. This underscores the ongoing tension between governments seeking access to encrypted communications and companies striving to maintain user privacy and security.

4. Cyber Attacks Impacting Russian Pharmacies

A series of cyber attacks have recently disrupted operations at several Russian pharmacies, namely Neo Pharm and Stolichki.

[00:04] Claire Aird: "Hundreds of Russian pharmacies temporarily closed this week following a cyber attack."

Employees were sent home to address IT outages caused by the attacks. As of the episode's release, no group has claimed responsibility, leaving the motive and origin of these disruptions unclear.

5. Regulatory Actions on Online Content and Services

The episode also touches upon regulatory measures being enforced to enhance online safety and security:

UK Pornography Sites Investigation:
The UK communications watchdog, Ofcom, has initiated an investigation into 34 pornography websites for failing to implement adequate age verification measures. These sites collectively attract over 9 million UK visitors monthly, highlighting the scale of the oversight.
Australia's Social Media Age Requirements:
Starting December, YouTube will be subject to Australia's increased social media age requirements, mandating users to be at least 16 years old to create accounts. This follows a broader initiative introduced in November of the previous year, initially covering platforms like Facebook, Instagram, Snapchat, TikTok, and X (formerly Twitter).

6. Russia's Enhanced Internet Control Measures

In efforts to tighten control over internet usage, Russia has taken steps to block certain services and integrate governmental functionalities into new platforms:

Blocking of Speedtest by ICCAN:
Russia's Internet watchdog has banned Speedtest, a bandwidth testing service owned by the American company Speedtest.net (ekla). Officials accuse the service of gathering intelligence on Russia's internet capabilities and sharing data with foreign entities. The move, initiated in October and supported by the FSB, reflects Russia's ongoing efforts to control information flow and digital infrastructure.
Introduction of MAX National Messenger App:
The Kremlin has announced plans to transition its electronic document signing system to the new MAX national messenger app, developed by Russian tech giant VK. Launched in June, MAX is a WhatsApp clone designed to be more secure and integrated with government services, with full integration expected by October.

7. Arrests and Sentences in Cybercrime Cases

Several arrests and legal outcomes were reported in relation to cybercrimes:

Spain and Catalonia:
Authorities in Rosas arrested a suspect involved in hacking Spanish banks, schools, and universities, subsequently selling the stolen data on the dark web.
India's Cryptocurrency Exchange Hack:
Raul Agraval, a 30-year-old software engineer, was apprehended for his role in the breach of CoinDCX, an Indian cryptocurrency exchange. Agraval allegedly sold his credentials for $17,000, leading to the theft of $44 million in crypto assets.
Canada's NFT Theft Case:
Cameron Albert Redman was sentenced to one year in prison for hacking X (formerly Twitter) accounts of digital artists, directing followers to fraudulent NFT pages that compromised their cryptocurrency and NFT holdings. U.S. officials reported losses nearing $800,000 affecting over 200 victims.
New Zealand's SMS Blaster Conviction:
Cheng Weichong, a Chinese national, was sentenced to 100 hours of community service for operating an SMS blaster. Recruited via WeChat, Chong was the first individual in New Zealand to be convicted for SMS blasting activities.

8. Domain Registrar Security Issues and Phishing Campaigns

ICANN's Action Against Webnic:
ICANN has issued a three-week ultimatum to the domain registrar Webnic to resolve its security deficiencies related to DNS abuse. Failure to comply may result in the termination of Webnic's registrar license. Webnic manages over half a million domains, predominantly in the Asian market.
Abuse of Link Wrapping Services:
Email security firms Proofpoint and Intermedia have reported their link-wrapping services being exploited for phishing attacks. Attackers embed malicious links within the URLs processed by these services, evading detection by traditional scanning methods due to the novelty of the links.

9. Cyberattacks on Financial Institutions and Telecommunications

Bank ATM Hacks via Raspberry Pi:
A cybercrime group attempted to infiltrate a bank's ATMs by physically connecting a Raspberry Pi device to the ATM's internal network. The intrusion aimed to facilitate lateral movement within the bank's systems to access and withdraw funds. Group IB attributed this tactic to the group identified as UNC 2891.
Telco Hacking by Liminal Panda:
Palo Alto Networks reported that the cyber espionage group Liminal Panda has been targeting telecommunications companies across Southeast Asia. The objective is to harvest mobile device location data, leveraging robust operational security (OPSEC) that suggests state-sponsored backing.

10. North Korean Cyber Activities and AI-Generated Insecure Code

Malicious Packages in NPM and PYPI:
North Korean hackers have been linked to 234 malicious packages uploaded to the NPM and PYPI repositories. These packages mainly contain infostealers designed to capture credentials from developers involved in cryptocurrency projects. Sonatype estimates the campaign may have compromised up to 36,000 victims.
Insecure Code Generation by AI Models:
A study by Veracode reveals that AI models produce insecure code in 45% of programming tasks analyzed. Specifically, AI-generated Java code exhibited a 72% failure rate in security assessments. The research encompassed outputs from over 100 large language models (LLMs) developed in the past three years, highlighting significant vulnerabilities in AI-assisted coding practices.

11. Cybersecurity Competitions and Corporate Acquisitions

PWN to Own Hacking Contest:
The PWN to Own contest is set to take place in Ireland this October, offering substantial rewards for identifying and exploiting WhatsApp vulnerabilities. Participants can earn up to $1 million for remote zero-click exploits and up to $500,000 for one-click exploits, incentivizing the discovery of critical security flaws.
Palo Alto Networks Acquires CyberArk:
In a major industry move, Palo Alto Networks has announced its acquisition of the Israeli security firm CyberArk. Shareholders of CyberArk are set to receive $45 plus 2.2 Palo Alto common stock shares for each CyberArk share held, signaling Palo Alto's strategic expansion in the cybersecurity domain.

Conclusion

The August 1 episode of Risky Bulletin provides an in-depth look into the evolving threats and responses within the cybersecurity sphere. From state-sponsored espionage and targeted cyberattacks on critical infrastructures to significant legal actions and corporate strategies, the bulletin underscores the dynamic and multifaceted nature of cyber risks in today's interconnected world. Listeners are left with a clear understanding of the current threat landscape, the importance of robust security measures, and the ongoing struggle between privacy advocates and governmental entities seeking greater control over digital communications.

This summary is based on the transcript provided and aims to encapsulate the key points discussed in the August 1, 2025 episode of Risky Bulletin.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Russia spies on local embassies via ISPs a Canadian man jailed for stealing Internet apes Signal threatens to leave Australia and Russian pharmacies go down after a cyber attack this is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 1st of August and this podcast episode is brought to you by vulnerability management and analysis platform Nucleus Security. A Russian cyber espionage group is tampering with the Internet connections of foreign embassies in Moscow. The hackers are altering traffic and delivering malware to embassy staff using the SORM traffic interception system. At local Internet providers, victims are redirected to a fake Kaspersky antivirus update which installs the malware and a root certificate. The campaign has been active since at least last year. Microsoft attributed the attacks to a group it tracks as Secret Blizzard, but which is more widely known as Turla. The group is part of the FSB intelligence agency. In other news, Military Academy West Point has been ordered to revoke a teaching position offered to former CISA director Jen Easterly. The Department of Defence order came after the right wing figure Laura Loomer criticised the former director online. Earlier this year, the White House dismissed former NSA and CyberCom head General Timothy Hawke and former NSA lawyer April Falcon Doss. Both had also been criticised by Luma secure messaging app Signal has threatened to leave Australia if the government forces it to backdoor its encryption. Signal foundation president Meredith Whitaker has previously made similar threats to other countries that have explored encryption backdoors. These included France, Sweden and the uk. Hundreds of Russian pharmacies temporarily closed this week following a cyber attack. Employees of pharmacy chains Neo Pharm and Stolichki were sent home on Tuesday as the companies dealt with IT outages. No group has claimed responsibility for the hacks. The UK communications watchdog has launched an investigation into 34 pornography sites. Ofcom said the sites have failed to implement adequate age checks for UK visitors. The sites collectively receive more than 9 million UK visitors each month. The Australian government will include YouTube in its social media age requirement from December. Users will have to be at least 16 to sign up for an account. The country introduced minimum age requirements for social media in November last year. It initially covered Facebook, Instagram, Snapchat, TikTok and X. Russia's Internet watchdog has blocked the bandwidth testing service Speedtest. Officials claim it collects information about Russia's Internet capabilities and shares it with foreign intelligence agencies. The service is owned by American company ukla. The process to ban the service began last October and was backed by Russia's intelligence agency, the fsb. Meanwhile, Russia will move its electronic document signing system into its new MAX national messenger app. The Kremlin established the app in June. It's a clone of WhatsApp and is being built by Russian tech giant VK. Officials plan to integrate other government services into MAX by October. A suspected hacker has been arrested by Spanish and Catalan police in the city of Rosas. The suspect is accused of hacking Spanish banks, schools and universities and selling the data on the dark web. The hacks occurred last year. A 30 year old software engineer has been arrested in connection with the hack of Indian cryptocurrency exchange CoinDCX. Raul Agraval is believed to have sold his work credentials to hackers for $17,000. Authorities say that shortly after the payment, hackers stole 44 million in crypto using his credentials. A Canadian man has been sentenced to one year in prison for stealing NFTs. Cameron Albert Redman hacked the X accounts of popular digital artists in May20 and lured their followers to pages that offered NFTs. The pages actually contain code that stole cryptocurrency and NFTs from the visitors. U.S. officials say Redmond stole nearly $800,000 from more than 200 victims. We can't help but wonder how he'll explain to the other hardened criminals that he's in jail for stealing Internet Apes, A Chinese national has been sentenced in New Zealand to 100 hours of community service for operating an SMS blaster. Cheng Weichong was arrested last year. He was recruited by a Chinese gang via WeChat and was paid $400 a day to drive around the city of Auckland with an SMS blaster. Chong is the first person to be convicted in New Zealand for SMS blasting. ICANN has given the domain registrar Webnic three weeks to deal with its security issues. The Internet authority says Webnic has failed to address reports of DNS abuse. The registrar manages more than half a million domains and operates primarily in the Asian market. If Webnic fails to address the issues, ICANN may terminate its registrar license. Link wrapping services from email security firms Proofpoint and Intermedia are being abused for phishing campaigns. The attackers cloak phishing links inside the URLs that the two companies use in their products. According to Cloudflare, the technique works when the malicious links are too new to be recognized by the company's scanning processes as suspicious. A cybercrime group has attempted to hack a bank's ATMs by connecting a device to its internal network. The attackers connected a Raspberry PI device to the ATM's networking switch and used the ATM's connection to the bank's network. Security firm Group IB says the hackers used the device for lateral movement into the bank's network, but the main objective was to withdraw cash. The firm linked the hack to a group it tracks as UNC 2891, a cyber espionage group is hacking telcos across Southeast Asia to collect mobile device location data. Palo Alto Networks says the group had good OPSEC and is likely a nation state. Most of the hacks took place last year and have been linked to a group known as Liminal Panda. North Korean hackers have been linked to 234 malicious packages uploaded on the NPM and PYPI portals. Most of the packages contained infostealers that were designed to collect credentials from cryptocurrency developers. Security firm Sonatype says the campaign could have infected up to 36,000 victims. A recent study shows that AI models generate insecure code for 45% of programming tasks. The Veracode study said AI generated Java was the worst, with a 72% failure rate. The research analysed outputs from more than 100 LLMs released in the past three years. The PWN to own hacking contest is offering rewards of up to $1 million for remote zero click WhatsApp exploits. One click exploits will receive up to half a million dollars. The pwned to own hacking contest will take place in Ireland in October. And finally, Palo Alto Networks has agreed to acquire Israeli security firm Cyberark. Cyberark shareholders will receive $45 and 2.2 Palo Alto common stock shares for each Cyber Ark share the transaction will and that is all for this podcast edition. Today's show was brought to you by our sponsor, Nucleus Security. Find them@nucleusec.com thanks for your company.