Risky Bulletin: Russia Spies on Local Embassies via ISPs
Hosted by risky.biz
Release Date: August 1, 2025

Overview

In the August 1, 2025 episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest developments in the cybersecurity landscape. The episode delves into sophisticated cyber espionage activities, significant legal actions against individuals involved in cybercrimes, threats from major secure messaging platforms, and a series of cyber attacks impacting various sectors globally. This summary encapsulates the key discussions, insights, and conclusions presented throughout the episode.

1. Russian Cyber Espionage Targeting Embassies

Claire Aird opens the episode by highlighting a sophisticated cyber espionage campaign orchestrated by a Russian group known as Turla, affiliated with the FSB intelligence agency.

[00:04] Claire Aird: "A Russian cyber espionage group is tampering with the Internet connections of foreign embassies in Moscow."

Turla has been manipulating the Internet Service Providers (ISPs) to intercept and alter traffic directed at embassies. Utilizing the SORM traffic interception system, the hackers redirect victims to counterfeit Kaspersky antivirus updates. These malicious updates install malware and a root certificate on the embassy staff's devices, enabling sustained surveillance and data exfiltration.

[00:04] Claire Aird: "At local Internet providers, victims are redirected to a fake Kaspersky antivirus update which installs the malware and a root certificate."

Microsoft has attributed these attacks to Turla, emphasizing their long-term activity since at least the previous year.

2. Legal Actions and Personnel Changes in Cybersecurity

The bulletin transitions to significant legal and organizational changes within the cybersecurity and defense sectors.

• West Point Revokes Teaching Position:
  The Military Academy West Point has been ordered to rescind a teaching offer extended to former CISA Director Jen Easterly. This decision follows online criticisms from right-wing figure Laura Loomer, indicating the intersection of political sentiment and cybersecurity appointments.

• Dismissals at the White House:
  Earlier in the year, the White House dismissed General Timothy Hawke, former head of the NSA and Cyber Command, along with April Falcon Doss, a former NSA lawyer. These dismissals were influenced by similar online criticisms from certain political factions.

3. Signal's Stance on Encryption Backdoors

Signal, a prominent secure messaging application, has declared its intention to withdraw from the Australian market if compelled to implement encryption backdoors.

[00:04] Claire Aird: "Signal has threatened to leave Australia if the government forces it to backdoor its encryption."

Meredith Whitaker, President of the Signal Foundation, has reiterated this stance, citing previous instances where Signal threatened to exit markets like France, Sweden, and the UK over similar demands. This underscores the ongoing tension between governments seeking access to encrypted communications and companies striving to maintain user privacy and security.

4. Cyber Attacks Impacting Russian Pharmacies

A series of cyber attacks have recently disrupted operations at several Russian pharmacies, namely Neo Pharm and Stolichki.

[00:04] Claire Aird: "Hundreds of Russian pharmacies temporarily closed this week following a cyber attack."

Employees were sent home to address IT outages caused by the attacks. As of the episode's release, no group has claimed responsibility, leaving the motive and origin of these disruptions unclear.

5. Regulatory Actions on Online Content and Services

The episode also touches upon regulatory measures being enforced to enhance online safety and security:

• UK Pornography Sites Investigation:
  The UK communications watchdog, Ofcom, has initiated an investigation into 34 pornography websites for failing to implement adequate age verification measures. These sites collectively attract over 9 million UK visitors monthly, highlighting the scale of the oversight.

• Australia's Social Media Age Requirements:
  Starting December, YouTube will be subject to Australia's increased social media age requirements, mandating users to be at least 16 years old to create accounts. This follows a broader initiative introduced in November of the previous year, initially covering platforms like Facebook, Instagram, Snapchat, TikTok, and X (formerly Twitter).

6. Russia's Enhanced Internet Control Measures

In efforts to tighten control over internet usage, Russia has taken steps to block certain services and integrate governmental functionalities into new platforms:

• Blocking of Speedtest by ICCAN:
  Russia's Internet watchdog has banned Speedtest, a bandwidth testing service owned by the American company Speedtest.net (ekla). Officials accuse the service of gathering intelligence on Russia's internet capabilities and sharing data with foreign entities. The move, initiated in October and supported by the FSB, reflects Russia's ongoing efforts to control information flow and digital infrastructure.

• Introduction of MAX National Messenger App:
  The Kremlin has announced plans to transition its electronic document signing system to the new MAX national messenger app, developed by Russian tech giant VK. Launched in June, MAX is a WhatsApp clone designed to be more secure and integrated with government services, with full integration expected by October.

7. Arrests and Sentences in Cybercrime Cases

Several arrests and legal outcomes were reported in relation to cybercrimes:

• Spain and Catalonia:
  Authorities in Rosas arrested a suspect involved in hacking Spanish banks, schools, and universities, subsequently selling the stolen data on the dark web.

• India's Cryptocurrency Exchange Hack:
  Raul Agraval, a 30-year-old software engineer, was apprehended for his role in the breach of CoinDCX, an Indian cryptocurrency exchange. Agraval allegedly sold his credentials for $17,000, leading to the theft of $44 million in crypto assets.

• Canada's NFT Theft Case:
  Cameron Albert Redman was sentenced to one year in prison for hacking X (formerly Twitter) accounts of digital artists, directing followers to fraudulent NFT pages that compromised their cryptocurrency and NFT holdings. U.S. officials reported losses nearing $800,000 affecting over 200 victims.

• New Zealand's SMS Blaster Conviction:
  Cheng Weichong, a Chinese national, was sentenced to 100 hours of community service for operating an SMS blaster. Recruited via WeChat, Chong was the first individual in New Zealand to be convicted for SMS blasting activities.

8. Domain Registrar Security Issues and Phishing Campaigns

• ICANN's Action Against Webnic:
  ICANN has issued a three-week ultimatum to the domain registrar Webnic to resolve its security deficiencies related to DNS abuse. Failure to comply may result in the termination of Webnic's registrar license. Webnic manages over half a million domains, predominantly in the Asian market.

• Abuse of Link Wrapping Services:
  Email security firms Proofpoint and Intermedia have reported their link-wrapping services being exploited for phishing attacks. Attackers embed malicious links within the URLs processed by these services, evading detection by traditional scanning methods due to the novelty of the links.

9. Cyberattacks on Financial Institutions and Telecommunications

• Bank ATM Hacks via Raspberry Pi:
  A cybercrime group attempted to infiltrate a bank's ATMs by physically connecting a Raspberry Pi device to the ATM's internal network. The intrusion aimed to facilitate lateral movement within the bank's systems to access and withdraw funds. Group IB attributed this tactic to the group identified as UNC 2891.

• Telco Hacking by Liminal Panda:
  Palo Alto Networks reported that the cyber espionage group Liminal Panda has been targeting telecommunications companies across Southeast Asia. The objective is to harvest mobile device location data, leveraging robust operational security (OPSEC) that suggests state-sponsored backing.

10. North Korean Cyber Activities and AI-Generated Insecure Code

• Malicious Packages in NPM and PYPI:
  North Korean hackers have been linked to 234 malicious packages uploaded to the NPM and PYPI repositories. These packages mainly contain infostealers designed to capture credentials from developers involved in cryptocurrency projects. Sonatype estimates the campaign may have compromised up to 36,000 victims.

• Insecure Code Generation by AI Models:
  A study by Veracode reveals that AI models produce insecure code in 45% of programming tasks analyzed. Specifically, AI-generated Java code exhibited a 72% failure rate in security assessments. The research encompassed outputs from over 100 large language models (LLMs) developed in the past three years, highlighting significant vulnerabilities in AI-assisted coding practices.

11. Cybersecurity Competitions and Corporate Acquisitions

• PWN to Own Hacking Contest:
  The PWN to Own contest is set to take place in Ireland this October, offering substantial rewards for identifying and exploiting WhatsApp vulnerabilities. Participants can earn up to $1 million for remote zero-click exploits and up to $500,000 for one-click exploits, incentivizing the discovery of critical security flaws.

• Palo Alto Networks Acquires CyberArk:
  In a major industry move, Palo Alto Networks has announced its acquisition of the Israeli security firm CyberArk. Shareholders of CyberArk are set to receive $45 plus 2.2 Palo Alto common stock shares for each CyberArk share held, signaling Palo Alto's strategic expansion in the cybersecurity domain.

Conclusion

The August 1 episode of Risky Bulletin provides an in-depth look into the evolving threats and responses within the cybersecurity sphere. From state-sponsored espionage and targeted cyberattacks on critical infrastructures to significant legal actions and corporate strategies, the bulletin underscores the dynamic and multifaceted nature of cyber risks in today's interconnected world. Listeners are left with a clear understanding of the current threat landscape, the importance of robust security measures, and the ongoing struggle between privacy advocates and governmental entities seeking greater control over digital communications.

This summary is based on the transcript provided and aims to encapsulate the key points discussed in the August 1, 2025 episode of Risky Bulletin.