Risky Bulletin: Trump Admin Halts Russia Cyber Operations
Risky Bulletin Episode Released on March 3, 2025

Introduction

In this episode of Risky Bulletin, host Claire Aird delves into significant developments in the cybersecurity landscape, focusing on the Trump administration's strategic shift away from targeting Russian cyber operations. The episode, prepared by Catalyn Kim Panu and sponsored by cloud security company Prowler, covers a range of topics from government policy changes to major cybersecurity incidents worldwide.

Trump Administration's Shift in Cyber Operations Against Russia

Claire Aird opens the episode by highlighting a pivotal change in U.S. cybersecurity strategy under the Trump administration.

"The Trump administration stops treating Russian hackers as a threat. This marks a significant shift in our national cybersecurity posture." [00:04]

A memo from Defense Secretary Pete Hegseth directed the Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Cyber Command to deprioritize Russian cyber threats. According to The Guardian, a subsequent order further emphasized prioritizing Chinese threats and safeguarding U.S. systems, explicitly omitting Russian adversaries.

"Staff were allegedly told verbally to stop working on anything Russia related," Aird notes [00:04].

Interestingly, the National Security Agency (NSA) did not receive a similar directive, indicating a possible divergence in how different agencies approach cybersecurity threats.

Cancellation of U.S. Cybersecurity Contracts

The administration's shift also impacted international cybersecurity collaborations. The U.S. government terminated a $95 million contract with IBM aimed at enhancing the cybersecurity defenses of European and Asian allies.

"Under the contract, IBM deployed cybersecurity experts to countries like Albania, Azerbaijan, and Kosovo to bolster their defenses," Aird explains [00:04].

This cancellation aligns with broader government efforts to curtail spending, particularly affecting U.S. aid initiatives.

Iranian Crackdowns on Anti-Government Dissidents

Turning to international human rights concerns, Aird reports on Iran's intensified efforts to suppress dissent on social media platforms.

"Iranian authorities are seizing the Instagram accounts of anti-government dissidents, with influencers being arrested and forced to hand over their passwords," she states [00:04].

These authorities delete dissident posts and replace them with confiscation messages, highlighting a growing trend of digital repression.

Zero-Day Vulnerabilities and Meta's Legal Actions Against NSO Group

A significant portion of the episode is dedicated to the discovery of new zero-day vulnerabilities exploited by cybercriminals.

"Amnesty International and Google have identified three vulnerabilities used by the Cellebrite phone unlocking toolkit," Aird informs listeners [00:04].

These vulnerabilities, primarily in the Linux USB stack, have been utilized to hack Android devices. While one bug has been patched in the February Android security update, the other two await integration into future updates.

In related news, Meta is intensifying its legal battle against the Israeli spyware firm NSO Group.

"Meta is seeking a permanent injunction against NSO Group that would ban it from its platforms," Aird reports [00:04].

A temporary injunction already restricts NSO's access to WhatsApp following a 2019 lawsuit where NSO was held liable for targeting over 1,400 WhatsApp users.

Security Breaches in Spyware Applications

The episode also covers vulnerabilities in spyware apps, specifically Spyse and Spysee.

"A bug in mobile's spyware app Spyse has exposed the email addresses of all its users," Aird reveals [00:04].

An anonymous researcher exploited this flaw to monitor sign-ups, uncovering that Spysee boasts over half a million registered users. This researcher has also exposed similar vulnerabilities in two other spyware applications, raising concerns about privacy and security in such tools.

Zapier's Security Breach and Recovery Efforts

Software automation company Zapier disclosed a security breach where a hacker accessed internal code repositories.

"The attacker may have gained access to limited customer information that was included in some repositories," Aird explains [00:04].

In response, Zapier is proactively emailing affected customers to inform them about the breach and the steps being taken to mitigate potential impacts.

Recovery of Stolen Crypto Assets

In a positive development within the crypto space, U.S. authorities have successfully recovered $31 million worth of crypto assets stolen from Uranium Finance during the CRYP heist in April 2021.

"Crypto investigation firm TRM Labs spent two years tracking the stolen funds across multiple blockchains," Aird notes [00:04].

This recovery underscores the efficacy of blockchain tracking tools in combating cyber theft.

Emergence of the 1111 Botnet and DDoS Attacks

A new botnet, named 1111 Bot, has been identified, having infected over 30,000 devices primarily in Iran.

"The botnet has launched large-scale DDoS attacks against telecom providers and gaming platforms, with attacks peaking at 6.5 terabytes per second," Aird reports [00:04].

This attack sets a new record for volumetric DDoS attacks, surpassing the previous peak of 5.6 terabytes per second recorded by Cloudflare in October last year.

Russian Ransomware Gang Members Receive Light Sentences

Russian courts have handed down relatively lenient sentences to members of notorious ransomware gangs.

"Lockbit affiliate Mikhail Matveev was sentenced to one and a half years Restriction of Freedom," Aird states [00:04].

Similarly, Revil affiliate Alexander Ermakov received a two-year sentence for developing the SugarLocker ransomware. Both individuals are serving sentences unrelated to the severe cybercrimes they are known for, raising questions about Russia's approach to cybercriminals.

Europol's Crackdown on AI-Generated CSAM Distribution

Europol has detained 25 suspects across multiple countries involved in using generative AI to produce and distribute Child Sexual Abuse Material (CSAM).

"The content was distributed through an online platform run by a Danish national who was arrested last November," Aird elaborates [00:04].

This operation highlights the evolving tactics of cybercriminals and the challenges in combating AI-driven illicit activities.

Exploitation of Cross-Site Scripting Vulnerabilities for Pornography Advertising

Hackers are exploiting a reflected cross-site scripting (XSS) vulnerability in the Krpano JavaScript library to advertise pornography.

"Security researcher Oleg Zayetsev uncovered the campaign when he received unexpected results searching for pornography," Aird explains [00:04].

This malicious campaign leverages a bug in Krpano, commonly used for building VR environments and virtual tours, to redirect users to illicit content.

Dominance of Russian Infostealers in Malware Rankings for 2024

Russian-infused malware, particularly infostealers, dominated malware rankings in 2024.

"Luma C2 was the most active, accounting for 35% of all infostealer C2 discovered online," Aird reports [00:04].

Other notable malware includes Lactrodectus as the most common dropper, Async Rat as the prevalent access Trojan, and Hook as the leading Android malware strain, according to security firm Recorded Future.

Microsoft's Shutdown of Skype to Focus on Teams

In a strategic move, Microsoft announced the shutdown of its Skype instant messaging app on May 5th to concentrate resources on its Teams service.

"Microsoft has urged users to migrate their Skype accounts to Teams or export their content," Aird informs [00:04].

Despite its peak of over 300 million active users and its acquisition in 2011 for $8.5 billion, Skype's relevance has diminished in favor of the more integrated Teams platform launched in 2017.

Security Breach at Teammate Compliance App

The New Zealand-based business compliance app, Teammate, has encountered a security breach allegedly involving a security researcher.

"Teammate accused security researcher JLT of hacking its service and threatened to report him to authorities," Aird states [00:04].

However, the researcher contends there was no actual hacking; instead, Teammate had left its MongoDB database exposed without a password, inadvertently facilitating access.

Sectigo vs. DigiCert: Certificate Authority Dispute

Sectigo revealed it received a cease and desist letter from rival Certificate Authority (CA) DigiCert after one of its employees reported a vulnerability in DigiCert's infrastructure.

"DigiCert claims the Sectigo staffer posted misleading information about its services," Aird reports [00:04].

Despite the allegations, Sectigo chose not to censure its employee, maintaining confidence in its internal protocols and commitment to security transparency.

Conclusion

This episode of Risky Bulletin underscores a dynamic and often tumultuous cybersecurity environment, shaped by shifting governmental priorities, evolving cyber threats, and ongoing battles between major tech entities and malicious actors. From the Trump administration's reassessment of Russian cyber threats to significant breaches and recoveries in the global digital landscape, the insights provided offer a comprehensive overview of the current state of cybersecurity.

Prepared by Catalyn Kim Panu and read by Claire Aird.