Risky Bulletin: UK Prime Minister's personal email hacked by Russia

Summary6 min read

Hosted by risky.biz | Released on February 5, 2025

Introduction

In this episode of Risky Bulletin, host Claire Aird delves into a series of significant cybersecurity incidents, ranging from high-profile email hacks to emerging malware threats. Prepared by the Risky Business team, this update provides listeners with a comprehensive overview of the latest developments in the cybersecurity landscape.

Major Email Breach: UK Prime Minister's Account Compromised

One of the episode's highlights is the revelation that Russian intelligence services successfully hacked the personal email account of the British Prime Minister, Sir Keir Starmer, in 2022. Claire Aird references a book extract published by The Times newspaper to substantiate this claim.

"Russian intelligence services breached British Prime Minister Sir Keir Starmer's personal email account in 2022, according to a book extract published by the Times newspaper." [00:04]

The breach occurred shortly after Russia's invasion of Ukraine, during a politically sensitive period when Starmer was leading the UK opposition. Advised by British intelligence, Starmer subsequently abandoned the compromised email account to mitigate further risks.

Emerging Malware Threat: Sparkcat Crypto Stealer

The bulletin highlights a newly identified cryptocurrency-stealing malware named Sparkcat, discovered by Kaspersky Labs in both iOS and Android app stores.

"Sparkcat was also found inside one app on the iOS app store. Kaspersky said this was the first time they'd seen this style of OCR malware in Apple's app store." [00:04]

Key Details:

Functionality: Sparkcat utilizes Optical Character Recognition (OCR) to scan users' local photos for text resembling cryptocurrency wallet recovery phrases. Any matching data is exfiltrated to attackers.
Impact: Over 240,000 users have downloaded Android apps harboring Sparkcat, marking a significant threat to mobile security.

This malware represents the first instance of such OCR-based threats appearing in Apple's curated app environment, signaling a concerning trend in mobile cybersecurity vulnerabilities.

Government Crackdowns on Online Scams

The episode sheds light on international efforts to combat online scam operations, particularly in Southeast Asia.

Thailand's Strategic Measures:
- Power Suppression: The Thai government plans to cut power to areas near Myanmar's border to disrupt scam compounds.
- International Pressure: Facing mounting global criticism, Thailand is intensifying its efforts to dismantle online cyber scam networks.
- Coordination Center: Thai police have established an international coordination center dedicated to combating cross-border cyberscam activities.
Philippines' Police Actions:
- Mass Arrests: Authorities in the Philippines recently arrested 100 Filipinos and a Chinese national in a raid targeting an online scam compound in Manila.
- Modus Operandi: The suspects employed AI-generated conversations and deceptive profile pictures to lure victims into fraudulent cryptocurrency schemes.

"Officials say the suspects used AI generated conversations and fake profile pictures of attractive women to lure victims into fraudulent cryptocurrency schemes." [00:04]

These coordinated efforts underscore the global initiative to eradicate sophisticated online scams that exploit technological advancements.

Data Breaches and Security Incidents

The bulletin covers several noteworthy data breaches impacting various sectors:

GrubHub's Security Breach:
- Data Compromised: Names, emails, phone numbers, partial payment card data, and hashed passwords were accessed by hackers.
- Source: The breach traced back to a third-party support service provider.
- Response: GrubHub terminated its contract with the implicated provider and rotated internal system passwords to secure their infrastructure.

"Grubhub tracked the breach to a third party service provider for its support service. The company says it terminated its contract with a third party provider and rotated its passwords for internal systems." [00:04]

OneWin Gambling Company Hack:
- Data Leak: 96 million user records were leaked following a November 2024 hack.
- Method: The hacker executed a series of DDoS attacks to divert the company's security focus, facilitating the theft of the user database.
- Ransom Demands: Initially asking for $1 million, the hacker escalated the demand to $15 million after unsuccessful negotiations.

"96 million user records from Russian gambling company OneWin have been leaked online." [00:04]

Canadian Hacker Charged:
- Accusations: A 22-year-old Canadian, Andion Medjedovich, is charged with hacking two cryptocurrency platforms, stealing a total of $64.9 million.
- Tactics: Medjedovich exploited smart contract vulnerabilities to manipulate key parameters, enabling unauthorized fund withdrawals at inflated rates.
- Blackmail Attempts: He allegedly attempted to coerce Kyberswap into granting him platform control in exchange for returning half of the stolen funds.

"Andion Medjedovich allegedly stole $16.5 million from Indexed Finance in October 2021 and another $48.4 million from Kyberswap in November 2023." [00:04]

These incidents highlight the persistent vulnerabilities within digital infrastructures and the sophisticated methods employed by cybercriminals.

Government Initiatives and Regulatory Actions

The episode outlines various governmental responses to cybersecurity threats:

India's Aadhaar Database Expansion:
- New Permissions: The Indian government will permit private companies to utilize the Aadhaar database for user identity authentication.
- Database Details: Introduced in 2020, Aadhaar stores personal and biometric information of all Indian citizens.
- Previous Usage: Until this year, the database was exclusively used for government service identification.

"In return for half of the stolen funds, the Indian government will allow private companies to use its Aadhaar database to authenticate users identities." [00:04]

Australia's Sanctions on Terragram:
- Target: White supremacist online network Terragram, operating via a Telegram channel.
- Activities: Encouraged murders, physical attacks, and hate crimes, including incidents in Slovakia and Turkey.
- Legal Actions: The US arrested two Terragram administrators in September, sanctioned the group in January, and the UK has added it to its list of terrorist organizations.

"The Australian government has sanctioned white supremacist online network Terragram." [00:04]

These measures reflect the global efforts to regulate and mitigate the influence of malicious entities operating within digital and physical realms.

Technological Vulnerabilities and Patches

The bulletin addresses recent discoveries and mitigations concerning technological vulnerabilities:

7-Zip Zero-Day Exploit:
- Description: Russian hackers exploited a zero-day vulnerability in the 7-Zip archiving utility to conduct espionage and cybercrime.
- Technique: Utilized a double archiving method to decompress malicious files, bypassing web security protections.
- Attribution: Linked to the Smoke Loader Cybercrime Group and espionage targeting the Ukrainian government.
- Timeline: Malicious samples emerged in September, with 7-Zip patching the flaw two months later in November.

"Last year, Russian hackers used a zero day in the 7 zip file archiving utility for espionage and cybercrime." [00:04]

Android Security Updates:
- Patch Details: Google released updates addressing a zero-day vulnerability in Android's UVC kernel component, exploited for privilege elevation attacks.
- Impact: The flaw could allow attackers to execute malicious firmware patches on AMD Zen CPUs, potentially compromising cloud infrastructure.
- Developer Insights: GrapheneOS developers suggest the vulnerability may have been used by forensic data extraction tools.

"Google has released Android security updates for February 2025." [00:04]

These updates emphasize the ongoing battle between cybersecurity defenders and malicious actors seeking to exploit technological weaknesses.

Additional Security Concerns

The episode concludes with a report on a purported malicious backdoor in Chinese medical devices:

"A new report says the malicious backdoor CISA described in a recent warning about Chinese medical devices is fact an update mechanism." [00:04]

Clarifications:

Nature of Backdoor: Described as an update mechanism that can only be activated by physically holding a button on the device during boot.
Company Statement: The manufacturer characterizes this behavior as risky and awkward, but not inherently malicious.

This revelation underscores the fine line between security features and potential vulnerabilities within critical medical infrastructure.

Conclusion

Claire Aird wraps up this edition of Risky Bulletin by highlighting the ever-evolving nature of cybersecurity threats and the corresponding efforts by governments and organizations to counteract them. From high-profile email breaches to sophisticated malware and regulatory actions, the landscape remains dynamic and challenging for all stakeholders involved.

This episode was brought to you by Thinkst, the makers of the much loved Thinx Canary. Find them at Canary Tools.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Russia hacked Keir Starmer's personal email account. A crypto stealer makes it into the iOS app store, GrubHub discloses a security breach and Google patches an Android zero day. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 5th of February and this podcast episode is brought to you by Thinkst, the makers of the much loved Thinxt Canary. Russian intelligence services breached British Prime Minister Sir Keir Starmer's personal email account in 2022, according to a book extract published by the Times newspaper. The hack took place shortly after Russia's invasion of Ukraine and when Starmer was the leader of the UK opposition. Starmer abandoned the account on the advice of British intelligence. Kaspersky has identified a crypto stealer in mobile apps on the iOS and Android app stores named Sparkcat. The the malware scans a user's local photos for text that resembles crypto wallet recovery phrases. Any photos that match are sent to the attacker. Kaspersky says that over 240,000 users have downloaded Android apps containing the malware. Sparkcat was also found inside one app on the iOS app store. Kaspersky said this was the first time they'd seen this style of OCR malware in Apple's app store. The Thai government plans to cut power to some areas near its border with Myanmar as part of a crackdown against online scam compounds. The Thai government has been under increasing international pressure to address the scammers operating in its territory. Thai police launched an international coordination centre last week to fight online cyberscam operations operating across Southeast Asia. Authorities in the Philippines have arrested 100 Filipinos and a Chinese national following a raid at an online scam compound operating operating in the country's capital, Manila. The compound occupied two floors in a condominium and the Chinese national acted as the supervisor. Officials say the suspects used AI generated conversations and fake profile pictures of attractive women to lure victims into fraudulent cryptocurrency schemes. Food delivery service grubhub says hackers accessed the personal details of customers, diners and drivers. Hackers stole names, emails, phone numbers and partial payment card data. They also stole hashed passwords for some legacy systems. Grubhub tracked the breach to a third party service provider for its support service. The company says it terminated its contract with a third party provider and rotated its passwords for internal systems. 96 million user records from Russian gambling company OneWin have been leaked online. The data was stolen in a hack in November 2024. The hacker allegedly used a wave of DDoS attacks to distract the company's security team while dumping its user database. According to OneWin's CEO, the hacker initially demanded a ransom of $1 million, but increased the sum to $15 million after several failed negotiations. US authorities have charged a 22 year old Canadian man with hacking two cryptocurrency platforms. Andion Medjedovich allegedly stole $16.5 million from Indexed Finance in October 2021 and another $48.4 million from Kyberswap in November 2023. Medjedovic allegedly exploited vulnerabilities in smart contracts to modify key parameters and withdraw funds at inflated prices. U.S. officials say. He also tried to blackmail the Kyberswap team into giving him control of their platform. In return for half of the stolen funds, the Indian government will allow private companies to use its Aadhaar database to authenticate users identities. The Aadhaar database was introduced in 2020 and stores the personal information of all Indian citizens, including their biometric. Until this year, the database was only used to identify Indians to government services. The Australian government has sanctioned white supremacist online network Terragram. The group operated via a Telegram channel that encouraged members to carry out murders, physical attacks and hate crimes. Terragram has been linked to a shooting at an LGBTQ bar in Slovakia and the stabbing of five people near a mosque in Turkey. The US arrested two Terragram admins last September and sanctioned the group in January. It was also added to the UK's list of terrorist organisations. Last year, Russian hackers used a zero day in the 7 zip file archiving utility for espionage and cybercrime. The zero day leveraged a double archiving trick to decompress malicious files without the mark of the web security protection. Trend Micro linked the attacks to the Smoke Loader, Cybercrime Group and espionage operations targeting the Ukrainian government. The earliest malicious samples date back to September seven zip patched the bug two months later. In November. Google has released Android security updates for February 2025. This month the company has patched a zero day exploited in the wild. The vulnerability is an elevation of privilege attack in Android's UVC kernel component, typically used for connecting external USB devices. GrapheneOS developers believe the zero day is likely one of the USB bugs exploited by forensic data extraction tools. The Google security team has found a security flaw in some AMD Zen CPUs. The vulnerability allows threat actors with admin rights on a system to load malicious CPU firmware patches. The attack can bypass AMD secure encrypted virtualisation protections and allow malicious customers to compromise cloud infrastructure. AMD released security updates on Monday. And finally, a new report says the malicious backdoor CISA described in a recent warning about Chinese medical devices is fact an update mechanism. According to Bleeping Computer. The report from Clarity says the update mechanism can only be triggered by booting the devices while holding a button on the devices. The company describes the behaviour as risky but not malicious, awkward and that is all for this podcast edition. Today's show was brought to you by our sponsor Thinx, the makers of the much loved Thinx Canary. Find them at Canary Tools. Thanks for your company.