Risky Bulletin: Scattered Spider Targets the Aviation Sector
Hosted by risky.biz
Release Date: June 30, 2025

Introduction

In the latest episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the evolving landscape of cybersecurity threats and responses. Prepared by Catalyn Kim and Panu, the bulletin covers a spectrum of incidents ranging from cybercriminal activities targeting major industries to significant governmental actions addressing national security concerns.

Cybercrime Groups and Their Activities

1. Scattered Spider Targets Aviation Sector

• Overview: The Scattered Spider cybercrime group has intensified its focus on the aviation industry, with recent intrusions affecting major airlines such as WestJet and Hawaiian Airlines.
• Background: Earlier in the year, Scattered Spider was implicated in disruptions at UK retailers Marks and Spencers and Co Op, as well as insurance firms including Aflac, Erie Insurance, and Philadelphia Insurance.
• Quote: Claire Aird states, "Individuals associated with the group have been linked to recent intrusions at WestJet and Hawaiian Airlines" [00:04].

2. Sinaloa Cartel's Use of Hackers

• Incident: The Sinaloa drug cartel employed a hacker in 2018 to monitor an FBI official's phone, obtaining sensitive call records and geolocation data.
• Impact: The gathered intelligence was utilized to identify and eliminate informants in a case against cartel leader Joaquín "El Chapo" Guzmán.
• Quote: "A DOJ report released last week said the hacker obtained call records and geolocation data" [00:04].

3. Societe Generale Bank Heist

• Details: A cybercrime group orchestrated SIM swapping attacks to steal over one million pounds from Societe Generale customers. The operation involved five individuals, including an intern who provided customer details.
• Outcome: All suspects were arrested earlier in the month.
• Quote: "The group carried out SIM swapping to gain access to accounts" [00:04].

4. Grylok Ransomware Cases

• Sentencing: A Russian man received a seven-year prison term, while a Russian woman was sentenced to five years for their roles in developing and promoting the Grylok ransomware.
• Financial Impact: The couple amassed over 3 million euros and infected more than 400,000 users.
• Quote: "Both sentences included an additional two years for refusing to hand over passwords for their devices and crypto wallets" [00:04].

5. Resupply Defi Platform Crypto Theft

• Incident: Hackers exploited a vulnerability in the Resupply Defi platform, stealing $10 million worth of cryptocurrency by depositing $200,000 and withdrawing millions.
• Method: Funds were laundered using the Tornado Cash mixer.
• Quote: "The hackers have not been identified" [00:04].

Government Actions and Policies

1. Russian Throttling of Cloudflare Traffic

• Action: Russian ISPs are throttling traffic from Cloudflare, effectively blocking access by limiting data transfer to 16 kilobytes before resetting connections.
• Timeline: The restrictions commenced in early June, mirroring the Kremlin's earlier censorship of YouTube in February.
• Quote: "Cloudflare says it's not received formal communication from the Russian government" [00:04].

2. Canada Bans Hikvision Operations

• Decision: Canada has ordered Chinese security camera manufacturer Hikvision to cease operations, citing national security threats.
• Implications: Government agencies are prohibited from purchasing new Hikvision products.
• Background: The US previously sanctioned Hikvision for its role in surveilling the Uyghur minority in China.
• Quote: "Officials said the company is a threat to Canada's national security" [00:04].

3. U.S. Cyber Command Leadership Change

• Appointment: Patrick Ware has been named the new executive director of U.S. Cyber Command, succeeding Morgan Adamsky.
• Background: Ware brings 34 years of experience from the NSA to his new role.
• Quote: "Ware will occupy the number three spot inside the U.S. military Cyber Operations Branch" [00:04].

4. U.S. Legislation on Foreign AI Tools

• Proposal: Two U.S. senators introduced a bill to ban federal agencies from utilizing AI tools developed by foreign adversaries, including China, Russia, and Iran.
• Current Actions: Multiple agencies and states have already restricted the use of the Chinese AI tool Deepseek.
• Quote: "Several agencies and US states recently banned employees from using the Chinese AI tool Deepseek" [00:04].

5. Germany's Move Against Deepseek

• Regulation: Berlin's Data Protection Agency seeks to ban Deepseek in Germany, alleging illegal data transfers to China and GDPR violations.
• Potential Impact: This action may catalyze an EU-wide ban on the application.
• Quote: "Berlin's Data Protection Agency wants to ban Deepseek in Germany" [00:04].

6. Brazil's Supreme Court on Social Media Liability

• Ruling: Social media platforms in Brazil are now held liable for user-generated content, mandating the monitoring and removal of posts containing hate speech, racism, and calls for violence.
• Context: This decision follows similar threats from the Trump administration regarding potential tariffs on tech firms enforcing content moderation.
• Quote: "Social networks will have to monitor and remove user posts that contain hate speech, racism and calls for violence" [00:04].

7. Australia's Designation of Terragram as a Terrorist Organization

• Action: The Australian government has labeled the Terragram online community as a terrorist group for its activities on Telegram, including recruiting members for violent acts.
• Law Enforcement: Two administrators were arrested in the U.S. following violent incidents in Slovakia and Turkey.
• Quote: "The group operates on Telegram, where it recruits and encourages members to carry out murders, physical attacks and other hate crimes" [00:04].

Cybersecurity Incidents and Trends

1. Employee Sabotage in the UK

• Case: Mohammed Umar Taj, a 31-year-old man, was sentenced to over seven months in prison for sabotaging his former UK employer by altering login credentials and MFA settings, leading to significant IT outages.
• Impact: The sabotage resulted in at least £200,000 in lost business and reputational damage across the UK, Germany, and Bahrain.
• Quote: "The sabotage caused IT outages for the company's customers in the UK, Germany and Bahrain" [00:04].

2. Rise of Cybercrime in Africa

• Statistics: Cybercrime accounts for over 30% of all reported crimes in both Western and Eastern Africa, with prevalent issues including online scams, ransomware, BEC (Business Email Compromise), and digital sextortion.
• Challenges: Most African legal systems are ill-equipped to tackle the burgeoning cybercrime problem.
• Quote: "Cybercrime accounts for more than 30% of all reported crimes in Western and Eastern Africa" [00:04].

3. North Korean Hacking and AI Abuse

• Activities: Hacking groups linked to Andariel and Kimsuki are leveraging ChatGPT to automate OSINT reconnaissance and execute cryptocurrency thefts.
• Techniques: These groups use AI to generate malicious code for draining crypto wallets and to analyze public data for potential targets.
• Quote: "North Korean hacking groups are abusing ChatGPT to automate OSINT reconnaissance and cryptocurrency thefts" [00:04].

4. Silence of Pro-Scottish Independence Accounts

• Findings: An investigation revealed that numerous pro-Scottish independence social media accounts went silent amid Israel's military operations in Iran, coinciding with Iran's internet blackout and power outages from Israeli strikes.
• Analysis: Iran's influence operations aim to intertwine local political movements with its foreign policy objectives.
• Quote: "Dozens of pro Scottish independence social media accounts went silent at the start of Israel's military operation in Iran" [00:04].

Technology Updates and Security Enhancements

1. Microsoft's New Windows Security Technology

• Development: Microsoft is introducing a new endpoint security platform that allows antivirus and security tools to operate without kernel access.
• Purpose: This innovation responds to last year's CrowdStrike bug, which compromised over 8.5 million Windows systems.
• Collaboration: Several Endpoint Detection and Response (EDR) vendors are collaborating with Microsoft to test this new technology.
• Quote: "Microsoft is previewing new Windows technology that will allow antivirus and security tools to run without kernel access" [00:04].

2. Google's Chrome Security Feature

• Update: Google has implemented a security enhancement in Chrome that automatically escapes less-than and greater-than characters within HTML attributes.
• Objective: This measure is designed to thwart cross-site scripting (XSS) attacks that embed malicious code into web pages.
• Deployment: The feature was rolled out with Chrome version 138 last week.
• Quote: "Google has added a new security feature to Chrome that automatically escapes less than and greater than characters inside HTML attributes" [00:04].

3. Exploitation of Citrix Vulnerability

• Vulnerability: Security firm Reliaquest reported that hackers are exploiting a new Citrix vulnerability involving an out-of-bounds read, which allows data extraction from server memory.
• Risk: Potential exploits include stealing session tokens and gaining unauthorized access without authentication.
• Status: Citrix has yet to confirm the attacks or Reliaquest's findings.
• Quote: "Citrix has not confirmed the attacks or Reliaquest's findings" [00:04].

4. CentOS Webpanel Vulnerability Fix

• Issue: The CentOS webpanel project addressed a vulnerability that could enable attackers to hijack web hosting servers by knowing at least one username.
• Mechanism: The flaw allows attackers to bypass authentication, with proof-of-concept code already in circulation.
• Resolution: A fix has been released to secure affected systems.
• Quote: "The vulnerability allows them to take over the underlying server" [00:04].

Conclusion

This episode of Risky Bulletin underscores the dynamic and multifaceted nature of cybersecurity threats and the corresponding measures taken by organizations and governments worldwide. From sophisticated cybercriminal operations targeting critical sectors like aviation and finance to legislative actions aimed at safeguarding national security and personal data, the landscape remains ever-evolving. Additionally, technological advancements by industry leaders like Microsoft and Google demonstrate ongoing efforts to bolster defenses against emerging threats. As cybercrime continues to proliferate, especially in regions like Africa and among state-sponsored actors, the importance of robust cybersecurity strategies and international cooperation becomes increasingly paramount.

For more insights and updates, subscribe to Risky Bulletin and stay informed on the latest in cybersecurity.