Risky Bulletin: UK Prime Minister's Personal Email Hacked by Russia

Hosted by risky.biz | Released on February 5, 2025

Introduction

In this episode of Risky Bulletin, host Claire Aird delves into a series of significant cybersecurity incidents, ranging from high-profile email hacks to emerging malware threats. Prepared by the Risky Business team, this update provides listeners with a comprehensive overview of the latest developments in the cybersecurity landscape.

Major Email Breach: UK Prime Minister's Account Compromised

One of the episode's highlights is the revelation that Russian intelligence services successfully hacked the personal email account of the British Prime Minister, Sir Keir Starmer, in 2022. Claire Aird references a book extract published by The Times newspaper to substantiate this claim.

"Russian intelligence services breached British Prime Minister Sir Keir Starmer's personal email account in 2022, according to a book extract published by the Times newspaper." [00:04]

The breach occurred shortly after Russia's invasion of Ukraine, during a politically sensitive period when Starmer was leading the UK opposition. Advised by British intelligence, Starmer subsequently abandoned the compromised email account to mitigate further risks.

Emerging Malware Threat: Sparkcat Crypto Stealer

The bulletin highlights a newly identified cryptocurrency-stealing malware named Sparkcat, discovered by Kaspersky Labs in both iOS and Android app stores.

"Sparkcat was also found inside one app on the iOS app store. Kaspersky said this was the first time they'd seen this style of OCR malware in Apple's app store." [00:04]

Key Details:

• Functionality: Sparkcat utilizes Optical Character Recognition (OCR) to scan users' local photos for text resembling cryptocurrency wallet recovery phrases. Any matching data is exfiltrated to attackers.
• Impact: Over 240,000 users have downloaded Android apps harboring Sparkcat, marking a significant threat to mobile security.

This malware represents the first instance of such OCR-based threats appearing in Apple's curated app environment, signaling a concerning trend in mobile cybersecurity vulnerabilities.

Government Crackdowns on Online Scams

The episode sheds light on international efforts to combat online scam operations, particularly in Southeast Asia.

1. Thailand's Strategic Measures:

   • Power Suppression: The Thai government plans to cut power to areas near Myanmar's border to disrupt scam compounds.
   • International Pressure: Facing mounting global criticism, Thailand is intensifying its efforts to dismantle online cyber scam networks.
   • Coordination Center: Thai police have established an international coordination center dedicated to combating cross-border cyberscam activities.

2. Philippines' Police Actions:

   • Mass Arrests: Authorities in the Philippines recently arrested 100 Filipinos and a Chinese national in a raid targeting an online scam compound in Manila.
   • Modus Operandi: The suspects employed AI-generated conversations and deceptive profile pictures to lure victims into fraudulent cryptocurrency schemes.

"Officials say the suspects used AI generated conversations and fake profile pictures of attractive women to lure victims into fraudulent cryptocurrency schemes." [00:04]

These coordinated efforts underscore the global initiative to eradicate sophisticated online scams that exploit technological advancements.

Data Breaches and Security Incidents

The bulletin covers several noteworthy data breaches impacting various sectors:

1. GrubHub's Security Breach:
   • Data Compromised: Names, emails, phone numbers, partial payment card data, and hashed passwords were accessed by hackers.
   • Source: The breach traced back to a third-party support service provider.
   • Response: GrubHub terminated its contract with the implicated provider and rotated internal system passwords to secure their infrastructure.

"Grubhub tracked the breach to a third party service provider for its support service. The company says it terminated its contract with a third party provider and rotated its passwords for internal systems." [00:04]

2. OneWin Gambling Company Hack:
   • Data Leak: 96 million user records were leaked following a November 2024 hack.
   • Method: The hacker executed a series of DDoS attacks to divert the company's security focus, facilitating the theft of the user database.
   • Ransom Demands: Initially asking for $1 million, the hacker escalated the demand to $15 million after unsuccessful negotiations.

"96 million user records from Russian gambling company OneWin have been leaked online." [00:04]

3. Canadian Hacker Charged:
   • Accusations: A 22-year-old Canadian, Andion Medjedovich, is charged with hacking two cryptocurrency platforms, stealing a total of $64.9 million.
   • Tactics: Medjedovich exploited smart contract vulnerabilities to manipulate key parameters, enabling unauthorized fund withdrawals at inflated rates.
   • Blackmail Attempts: He allegedly attempted to coerce Kyberswap into granting him platform control in exchange for returning half of the stolen funds.

"Andion Medjedovich allegedly stole $16.5 million from Indexed Finance in October 2021 and another $48.4 million from Kyberswap in November 2023." [00:04]

These incidents highlight the persistent vulnerabilities within digital infrastructures and the sophisticated methods employed by cybercriminals.

Government Initiatives and Regulatory Actions

The episode outlines various governmental responses to cybersecurity threats:

1. India's Aadhaar Database Expansion:
   • New Permissions: The Indian government will permit private companies to utilize the Aadhaar database for user identity authentication.
   • Database Details: Introduced in 2020, Aadhaar stores personal and biometric information of all Indian citizens.
   • Previous Usage: Until this year, the database was exclusively used for government service identification.

"In return for half of the stolen funds, the Indian government will allow private companies to use its Aadhaar database to authenticate users identities." [00:04]

2. Australia's Sanctions on Terragram:
   • Target: White supremacist online network Terragram, operating via a Telegram channel.
   • Activities: Encouraged murders, physical attacks, and hate crimes, including incidents in Slovakia and Turkey.
   • Legal Actions: The US arrested two Terragram administrators in September, sanctioned the group in January, and the UK has added it to its list of terrorist organizations.

"The Australian government has sanctioned white supremacist online network Terragram." [00:04]

These measures reflect the global efforts to regulate and mitigate the influence of malicious entities operating within digital and physical realms.

Technological Vulnerabilities and Patches

The bulletin addresses recent discoveries and mitigations concerning technological vulnerabilities:

1. 7-Zip Zero-Day Exploit:
   • Description: Russian hackers exploited a zero-day vulnerability in the 7-Zip archiving utility to conduct espionage and cybercrime.
   • Technique: Utilized a double archiving method to decompress malicious files, bypassing web security protections.
   • Attribution: Linked to the Smoke Loader Cybercrime Group and espionage targeting the Ukrainian government.
   • Timeline: Malicious samples emerged in September, with 7-Zip patching the flaw two months later in November.

"Last year, Russian hackers used a zero day in the 7 zip file archiving utility for espionage and cybercrime." [00:04]

2. Android Security Updates:
   • Patch Details: Google released updates addressing a zero-day vulnerability in Android's UVC kernel component, exploited for privilege elevation attacks.
   • Impact: The flaw could allow attackers to execute malicious firmware patches on AMD Zen CPUs, potentially compromising cloud infrastructure.
   • Developer Insights: GrapheneOS developers suggest the vulnerability may have been used by forensic data extraction tools.

"Google has released Android security updates for February 2025." [00:04]

These updates emphasize the ongoing battle between cybersecurity defenders and malicious actors seeking to exploit technological weaknesses.

Additional Security Concerns

The episode concludes with a report on a purported malicious backdoor in Chinese medical devices:

"A new report says the malicious backdoor CISA described in a recent warning about Chinese medical devices is fact an update mechanism." [00:04]

Clarifications:

• Nature of Backdoor: Described as an update mechanism that can only be activated by physically holding a button on the device during boot.
• Company Statement: The manufacturer characterizes this behavior as risky and awkward, but not inherently malicious.

This revelation underscores the fine line between security features and potential vulnerabilities within critical medical infrastructure.

Conclusion

Claire Aird wraps up this edition of Risky Bulletin by highlighting the ever-evolving nature of cybersecurity threats and the corresponding efforts by governments and organizations to counteract them. From high-profile email breaches to sophisticated malware and regulatory actions, the landscape remains dynamic and challenging for all stakeholders involved.

This episode was brought to you by Thinkst, the makers of the much loved Thinx Canary. Find them at Canary Tools.