Risky Bulletin: US Indicts i-SoOn and APT27 Hackers

Episode Title: Risky Bulletin: US Indicts i-SoOn and APT27 Hackers
Host: Claire Aird
Release Date: March 7, 2025

In this episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest developments in cybersecurity, highlighting significant indictments, cyberattacks, and disruptions in the digital landscape. Prepared by Catalyn Kimpanu, the bulletin delves into the intricate activities of hacking groups, law enforcement actions, and emerging threats that shape the current cybersecurity environment.

US Indicts Chinese Hacking Groups ISOON and APT27

At the forefront of today's news, the U.S. Department of Justice has unsealed charges against twelve Chinese nationals associated with cyber espionage activities. These individuals are linked to two notorious hacking groups: ISOON and APT27. Claire Aird reports:

"The Justice Department claims ISOON was behind a hacking campaign that broke into the foreign ministries of at least four countries" ([00:00]).

Among the indicted, two are officers from China's Ministry of Public Security who orchestrated ISOON's operations, while the remaining ten are ISOON employees involved in both personal profit-driven hacks and more sanctioned cyber espionage missions. Notably, an APT27 member, Inkeqiang, is accused of hacking the U.S. Treasury Department in December 2024.

Seizure of Russian Cryptocurrency Exchange Garantex

In a significant blow to cybercriminal financial operations, US and European law enforcement agencies have seized the website of the Russian cryptocurrency exchange Garantex. Claire Aird details:

"Authorities also seized $27 million worth of tether coins from the company's crypto wallets" ([00:02]).

Garantex was previously sanctioned by the U.S. in April 2022 for money laundering activities linked to dark web marketplaces and ransomware operations. The European Union followed suit with its sanctions last month. This coordinated crackdown underscores the international effort to dismantle financial channels facilitating cybercrime.

Data Breach at Japanese Telco Giant NTT

Japanese telecommunications leader NTT has reported a breach of its internal network last month, resulting in the theft of data pertaining to nearly 18,000 corporate customers. Claire Aird notes:

"The company also suffered a major breach in 2020" ([00:03]).

This incident marks a recurring security challenge for NTT, highlighting the persistent threats faced by large corporations and the importance of robust cybersecurity measures.

Arrests Over Taylor Swift Concert Ticket Theft

Cybercriminal activities have also infiltrated the entertainment industry. Authorities have apprehended two members of a cybercrime group responsible for stealing and reselling approximately 1,000 concert tickets for Taylor Swift's ERAS tour. Claire Aird explains:

"Tyrone Rose and Shamarra P. Simmons allegedly made more than $600,000 reselling the tickets on the black market" ([00:04]).

The charges reveal that Rose exploited his access to computer systems at a partner company for StubHub, redirecting already sold tickets to themselves for illegal resale. This case underscores the diverse targets and methods employed by cybercriminals.

Extradition of Nigerian Man for Cybercrimes and Tax Fraud

The U.S. has successfully extradited Matthew A. Akunde, a Nigerian national residing in Mexico, to face charges related to cybercrimes and tax fraud. According to Claire Aird:

"Officials claim Akunde hacked a Massachusetts tax preparation firm and filed fraudulent tax returns" ([00:05]).

Akunde's five-year scheme allegedly resulted in over $1.3 million in fraudulent tax refunds, representing a significant financial loss and highlighting the global nature of cyber fraud.

Unmasking of a Massive Cybercrime Cartel

A coordinated effort by 32 media outlets has unveiled a vast cybercrime cartel responsible for stealing an estimated $275 million from over 32,000 victims. Claire Aird details the operation:

"The group operated call centers that scammed people into investing in non-existent cryptocurrencies" ([00:06]).

The investigation was sparked by a Swedish TV station receiving 1.9 terabytes of leaked data from an anonymous source. The scam involved call centers across Eastern Europe, Israel, and Georgia, showcasing the extensive and organized infrastructure behind large-scale cyber fraud.

Disruption of the Bad Box Botnet

Security firms have made significant strides in disrupting the Bad Box botnet, thwarting its malicious activities once again. Claire Aird reports:

"The company sinkholed botnet traffic and took down 24 malicious Android apps" ([00:07]).

Human Security identified four threat actors collaborating within the botnet's new incarnation, which has infected over a million devices. The botnet was primarily used for relaying malicious traffic and executing ad fraud. This marks a continuation of efforts to dismantle Bad Box, following German authorities' successful sinkhole of an earlier version last year.

North Korean Supply Chain Attacks Targeting South Korea

South Korea's intelligence agency has issued warnings to local companies about ongoing supply chain attacks orchestrated by North Korean hackers. Claire Aird explains:

"The attacks have targeted a groupware platform and a mobile identity verification system" ([00:08]).

These sophisticated attacks focus on IT service providers and emphasize the need for heightened vigilance among administrators to protect critical infrastructure from state-sponsored cyber threats.

Emergence of "Evil Loader" Telegram Exploit

A new threat has emerged in the form of a Telegram exploit named Evil Loader, which has been available for purchase since January. Claire Aird details:

"The tool crafts video files that prompt Telegram users to run malicious code or install dodgy apps" ([00:09]).

This exploit leverages an unpatched bug affecting only the Android version of Telegram, allowing malicious actors to disguise harmful apps and code within seemingly innocuous fake video files, thereby posing a significant risk to users.

Resignation of Cyber Reason CEO Eric Gann

In corporate news, Cyber Reason CEO Eric Gann has resigned following disputes with investors. Claire Aird reports:

"In February, Gann sued investment firm SoftBank and former U.S. Treasury Secretary Steven Mnuchin for blocking Cyber Reason's refinancing efforts" ([00:10]).

Gann claimed that these actions pushed the company to the brink of bankruptcy, leading to the cancellation of its planned merger with U.S. security firm Trustwave. This development marks a turbulent period for Cyber Reason as it navigates financial and leadership challenges.

This episode of Risky Bulletin offers a thorough overview of critical cybersecurity incidents and trends, reflecting the dynamic and often perilous nature of the digital security landscape. From indictments of international hacking groups to the disruption of sophisticated botnets, the bulletin underscores the ongoing battle between cybercriminals and those working to safeguard digital assets and infrastructure.