Summary5 min read

Risky Bulletin Podcast Summary

Title: Srsly Risky Biz: Law Enforcement Is Finally Making Progress on Ransomware
Host: Patrick Gray
Guest: Tom Uren, Policy and Intelligence Expertise Editor
Release Date: June 5, 2025

In this episode of Risky Bulletin, hosts Patrick Gray and Tom Uren delve into significant developments in the cybersecurity landscape, focusing on law enforcement's strides against ransomware, the controversial use of mobile spyware in the Syrian conflict, and the Russian GRU's evolving cyber operations. Below is a detailed summary capturing the essence of their discussions.

1. Law Enforcement Progress on Ransomware

Tom Uren opens the conversation by highlighting a shift in law enforcement strategies targeting the ransomware ecosystem.

Tom Uren (00:05): "The lesson here is that law enforcement is actually finally kicking some goals against the ransomware ecosystem by being actually quite smart about where they're choosing to prioritise their sort of disruption and investigative efforts."

Traditionally, apprehending individuals directly responsible for ransomware attacks has been challenging. However, recent efforts focus on dismantling the supporting infrastructure, such as info stealers, initial access malware, and botnets. By seizing domains and disrupting command-and-control operations, authorities are effectively crippling the mechanisms that enable ransomware activities.

Tom elaborates on this approach:

Tom Uren (01:47): "So the approach that they've taken is to look at the whole ecosystem... where the botnets themselves are amenable to law enforcement action, where they can seize domains, take control of command and control, and disrupt the actual operation of that malware."

Patrick Gray adds that disrupting these shared criminal services doesn't eliminate cybercrime but increases the operational burden on malicious actors, forcing them to invest more time in foundational tasks rather than high-impact attacks.

Patrick Gray (03:56): "It might not stop cybercrime, but it definitely just raises the effort that they have to spend on doing mundane, annoying stuff and turns it... into kind of being like you may as well get a day job at that point."

The hosts agree that while these measures don't eradicate ransomware, they significantly hinder the efficiency and effectiveness of criminal operations, potentially leading to a gradual decline in ransomware incidents.

2. Mobile Spyware and the Collapse of the Syrian Regime

The discussion transitions to a report from New Lines Magazine concerning the deployment of mobile spyware on Syrian army soldiers' personal devices, allegedly contributing to the rapid fall of the Assad regime.

Patrick Gray (05:52): "We had a look at that report from New Lines magazine that talked about some mobile spyware that was popping up on the personal devices of Syrian army soldiers in the lead up to the regime's fall."

Tom Uren scrutinizes the claim that the spyware was instrumental in the regime's collapse:

Tom Uren (05:52): "It was instrumental in the rapid collapse of the Assad regime... like a phishing page, and they're paying a little bit of money. And it seems to me to turn intelligence into military advantage is actually a lot of work."

They discuss the economic incentives behind the spyware distribution, noting that the modest compensation provided to soldiers was significant in the context of the Syrian economy. This likely facilitated widespread installation of the spyware, potentially granting opposition forces valuable intelligence.

Patrick Gray (07:33): "When 40 bucks seems like salvation... that person is probably not terribly committed to the cause they're allegedly, well, supposed to be fighting for, right?"

However, both hosts express skepticism regarding the extent to which the spyware alone could have precipitated the regime's downfall, suggesting that it was one of many contributing factors in an already collapsing system.

Patrick Gray (10:36): "It's drawing such a long bow... you can't wait for someone... to get their hands on this thing and actually pick it apart and see if they can figure out who done it."

They anticipate further investigations by cybersecurity experts to unravel the true impact and origins of the spyware operation.

3. Russian GRU’s Cyber Operations: Unit 29155

In the final segment, Patrick and Tom examine a detailed report from The Insider on Russia's GRU Unit 29155, shedding light on its cyber operations.

Patrick Gray (11:28): "GRU is the Russian military sort of intelligence unit, unit 29155 of GRU, which does a lot of like... assassinating foreign dissidents and sabotage operations and things like that... linked to various cyber operations."

Tom Uren expresses confusion over the unit's involvement in cyber activities, given its traditional focus on sabotage and direct action.

Tom Uren (12:15): "So to me, the mystery about unit 29155 is you've got a sabotage and blowing stuff up unit... and how does a unit like that get into hacking?"

The report reveals that the GRU recruited cybercriminals with poor operational security, leading to significant leaks of internal communications and operational details. This mismanagement has exposed the unit's cyber endeavors, including hack-and-leak and false flag operations.

Tom Uren (13:29): "Stigall did a number of hack and leak operations... and he was allowed to recruit other criminal criminals into the hacking operation."

The unit's bizarre and often ineffective cyber tactics, such as funding graffiti campaigns to foment dissent, contrast sharply with more destructive operations like smuggling incendiary devices disguised in innocuous items.

Tom Uren (15:00): "They're trying to foment dissent with a graffiti campaign... hundreds of thousands of dollars used in this campaign."

The hosts highlight the unit's dual nature—engaging in both low-impact information operations and high-stakes sabotage attempts—while also pointing out the corruption and lack of strategic direction within the unit.

Patrick Gray (17:50): "They got into it because they felt like it. It's not really advancing any objective, but it's nasty."

The discussion underscores the inefficacy and internal issues plaguing Unit 29155, painting a picture of a once-formidable intelligence unit now struggling with operational coherence and ethical standards.

Conclusion

Patrick Gray and Tom Uren provide a comprehensive overview of pivotal cybersecurity issues, emphasizing the nuanced and multifaceted nature of modern cyber threats and responses. From law enforcement's tactical disruptions of ransomware infrastructure to the questionable efficacy of mobile spyware in geopolitical conflicts, and the chaotic cyber operations of Russia's GRU Unit 29155, the episode underscores the complexity and evolving challenges in the cybersecurity domain.

Listeners gain valuable insights into how strategic enforcement efforts can impact cybercrime, the implications of cyber tools in warfare, and the internal dynamics of state-sponsored cyber units. This episode serves as a crucial update for cybersecurity professionals, policy makers, and enthusiasts keen on understanding the current landscape and future directions of cyber policy and intelligence.

Loading summary

Transcript37 lines

[00:00]
Tom Uren
Foreign.
[00:05]
Patrick Gray
And welcome to another edition of Seriously Risky Business, the podcast where we talk about cyber policy and intelligence and all of that fun stuff. My name's Patrick Gray. We would like to thank the William and Flora Hewlett foundation for supporting this podcast, as well as Lawfare Media, which syndicates the newsletter on which it is based. And we also have a corporate sponsor this week which is Run Zero, which makes a terrific asset discovery platform. And indeed, we had a sponsor interview published into the Risky Bulletin feed earlier this week in which Casey Ellis, the founder of bugcrowd, actually put on his Risky Business Media hat and interviewed H.D. moore, who is the founder of Run Zero, about how they're integrating Open Source Vulnerability Scanner into the Run Zero platform. That is very interesting, and I would recommend that you check it out if security is your day job. So joining me now is Tom Uren, who is our policy and intelligence expertise editor. And Tom, you're just putting the finishing touches on your newsletter this week before it goes out. And of course, people can subscribe to it by heading over to Risky Biz, but you've looked at a few things. The first thing is you've done a bit of a wrap, right, because there's been all of this coverage about various law enforcement actions, takedowns, arrests, indictments, disruptions, and you've sort of pulled all of that coverage together into. Into one piece and sort of had a look at it from a. From a more macro perspective. And I think the lesson here is that law enforcement is actually finally kicking some goals against the ransomware ecosystem by being actually quite smart about where they're choosing to prioritise their sort of disruption and investigative efforts.
[01:47]
Tom Uren
Yeah. So I suppose, stepping back, the problem with ransomware is that has traditionally been difficult to arrest the people directly responsible for a particular incident. So that's happened occasionally, but very, very rarely. And so the approach that they've taken is to look at the whole ecosystem, what supports ransomware actors. And that turns out to be things like info stealers, initial access malware, and they're often botnets, where the botnets themselves are amenable to law enforcement action, where they can seize domains, take control of command and control, and disrupt the actual operation of that malware. And so that's what they've been doing. And so just in the last month, they've taken action against initial access malware, info stealer malware, and also the services that criminals use to test that their malware won't get pinged by EDR and stuff like that.
[02:52]
Patrick Gray
Yeah, yeah, Adam and I spoke about that on yesterday's weekly show, which was this AV check, which is like a virus total for criminals, basically. But, yeah, but this, but this is the thing, isn't it? Right, like, so as Adam pointed out yesterday, you know, when he worked in penetration testing, they needed a similar bit of infrastructure internally to test their, you know, quote unquote malware that they were using for authorized testing. And that there was, it was a lot of work to do that. So obviously it makes sense for, you know, niche criminal operations to offer that as a service. And you start taking that stuff away from malicious actors and also stuff around money laundering and, you know, all sorts of stuff. You start taking away these tools, these shared services. I mean, it might not stop cybercrime, but it definitely just raises the effort that they have to spend on doing mundane, annoying stuff and turns it, you know, less. It's turning it from being non stop easy wins into kind of being like, you may as well get a day job at that point.
[03:57]
Tom Uren
Yeah, well, I guess it's the difference between a single pen test company and then an entire industry. So like, you know, a single pen test company can still get wins, but like Adam says, it's a lot of work. And so that just slows you down. Whereas if you're operating as just, you know, buying off the shelf criminal services, that just makes it so much easier and so much more effective. So it's, it's about the scale of the industry rather than the existence of the industry. So I think some of the things that they've done, like tackling info stealers, those credentials that they've already stolen will be valid probably for a long time in many cases. And so it's not a overnight change, but it's the thing that over time will make ransomware criminals jobs harder, more difficult, more painful, slower.
[04:50]
Patrick Gray
Yeah, yeah. Now look, moving on to the next topic because we've got three to talk about this week. You took a look also. So we discussed this yesterday, but I really want to get your thoughts on this. We had a look at that report from New Lines magazine that talked about some mobile spyware that was popping up on the personal devices of Syrian army soldiers in the lead up to the regime's fall. You know, as we said yesterday, sort of a strange story in that I don't, I'm not really clear on what it was saying. Like, was it saying that this is one of the reasons the regime fell? I mean, that's drawing a pretty long bow, if I'm honest. But there's something Here, isn't there, like, there's something interesting about the fact that someone was essentially paying Syrian soldiers to install this on their devices. I mean, they're doing that for a reason. But we don't know who did it and we don't really know how they used any intelligence collected. But as a starting point, I think this is a, you know, this is going to turn into, hopefully we'll find out more and it'll turn into an interesting story.
[05:53]
Tom Uren
I think it's as it's written, it is the example par excellence of how you would try and get an app into an opposition military. And the article suggests that, that it was instrumental in the rapid collapse of the Assad regime. So the story is that they were basically offering the app as part of a purported financial aid package. And it seems like they probably were paying people. And the amount of money, like US$40 per month doesn't sound like much, but in the context of the Syrian army at the time was more than most monthly salaries. So like actually a significant amount. And you can see that in that situation you would probably get a lot of installs. And the. It leaves unclear the link between how did this result in any potential military advantage for the opposition and the. It combined both phishing to get information about the person and also spyware on the device. So if you did that very well, you could get an intelligence package for individuals and be able to trace them over time. So it's not a huge leap to think, yes, you could turn this into military advantage, but the actual sort of circumstances that enabled the spyware operation to be successful, like tremendously poor pay because the Syrian pound had collapsed.
[07:30]
Patrick Gray
I mean, exactly when 40 bucks seems like salvation.
[07:34]
Tom Uren
Yeah.
[07:34]
Patrick Gray
That person is probably not terribly committed to the cause they're allegedly, well, supposed to be fighting for, right?
[07:41]
Tom Uren
Yeah, yeah, yeah. And it gets worse. They talk about how basically officers were selling services to their troops. Like they would buy solar cells, solar panels in, in order to charge mobile phones and that they would charge their own troops for access to the solar panels. Like, this is not a military that is, you know, with strong morale that's going to stand and fight. If they think that they're on a losing side. They would also sell food to their own soldiers.
[08:15]
Patrick Gray
So this is a really high functioning system they got there, right?
[08:19]
Tom Uren
Yeah. So on the one hand it seems like, yes, this is an amazing operation, but it's really falling on fertile ground. Like, it's hard to imagine that if you had some money, like not a huge amount of money, just some Money that you wouldn't have success in that situation. But it's also the exact same situation where the military is likely to collapse anyway. And it seems like that, even though it seems like a great example, it's also an example where they bought commodity off the shelf malware. It's a phishing page, and they're paying a little bit of money. And it seems to me to turn intelligence into military advantage is actually a lot of work. You have to have people analyzing it, integrating it with military plans.
[08:59]
Patrick Gray
But, but even something as simple as like getting location tracking on a significant enough number of, you know, Syrian soldiers and, you know, part of this fishing they would. Would have collected, like, what unit are they from? Do you know what I mean? Where are they currently deployed? And I could see how that could be really handy. If, you know, this soldier is from this unit, you're fighting a war against them, and then you see that person moving to another location, you know, that might tell you, hey, this unit's moving over there. So I think in that sense, just if you just had a couple of infected devices in each unit, you know, you would have. You would have terrific intelligence, you know, particularly if you didn't have access to fancy things like satellites.
[09:38]
Tom Uren
Yeah, yeah, so I can see that as well. It just seems that they were bound for collapse regardless.
[09:44]
Patrick Gray
And that's the thing about this, about this piece, is it seems to attribute the collapse to this app, right, which, as I said, it's drawing such a long bow. Um, you know, I don't think that HTs were able to take over the entire country in something like a week because of a bit of mobile spyware like that just seems. That just seems nuts. And the other thing is, there's no detail in that piece about who may have created it. You know, could it have been the Israelis doing this just to keep tabs on the Syrian army? Which is something you could imagine the Israelis would want to do. Right, because that's going to be prudent for them to do that. You know, There was some C2 infrastructure in the United States. Could it have been the Americans? And if so, why? Like, because they've still got, you know, various alliances in the, you know, at that point, various alliances in the north and whatnot. So, you know, it's an odd one in that I feel like this is a journalist who, you know, hasn't had a lot of experience writing about this stuff, and they may have, you know, got a bit excited.
[10:37]
Tom Uren
Yeah, I get the same feeling. I thought it was a really interesting Story. I think it's, it's kind of encapsulates how there's many factors in everything and people in cyber or out of cyber even want to sometimes take the most sensational, you know, cyber Pearl harbor type case.
[10:56]
Patrick Gray
But a war, we love a good cyber Pearl Harbor.
[11:00]
Tom Uren
There's just so many factors. Right. Very unlikely. The app was a key one. It may have accelerated things a little.
[11:08]
Patrick Gray
Yeah, I just can't wait for like someone, I don't know, Citizen Lab or whoever to get their hands on this thing and actually pick it apart and see if they can figure out who done it. Right. Like, love a good mystery. Let's move on to the final thing we're talking about this week. And this is something that we didn't cover, in fact, in the weekly show, which, which is a look at GRU. That's Russian. What? SVR's military. GRU is also military, isn't it?
[11:28]
Tom Uren
It's their GRU is definitely military. I think SVR is like a foreign.
[11:33]
Patrick Gray
Intelligence service more than military. Yeah. So GRU is the Russian military sort of intelligence unit, unit 29155 of GRU, which does a lot of like, you know, assassinating foreign dissidents and sabotage operations and things like that more recently have been linked to various cyber operations. And there's some excellent reporting from the Insider that's taken a deep look at the sort of history of unit 29155 cyber operations. As you've described them in the headline. They are part time hackers, but full time assholes. Walk us through what this report has, has shed light on.
[12:15]
Tom Uren
So to me, the mystery about unit 29155 is you've got a sabotage and blowing stuff up unit. These are hands on guys. They're almost always guys who want to like just blow stuff up. And how does a unit like that get into hacking? Like that makes no sense to me whatsoever. And it turns out that they just got a cybercriminal and somehow he ended up in the unit because the boss at the time presumably wanted him. That's not clear in the story. So in the story they find all these materials that are basically like reflective of poor, very poor opsec. So they talk about a trove of leaked emails, social media posts, phone records, and crucially unprotected server logs and left behind burner emails and disused VK and Twitter accounts. So they would do their work on public platforms and then once they'd finished, they would just leave them behind. They wouldn't delete messages or anything like that. And the first hacker, he did a number of hack and leak and false flag operations.
[13:30]
Patrick Gray
Yeah. So this is the former cybercriminal Tim Stigall, who was recruited apparently in 2014. So this was where they started.
[13:37]
Tom Uren
Yeah, yeah. So Stigall, he did a number of hack and leak operations, often false flag, hack and leap operations. So presumably that was something that the boss of the whole unit at the time wanted to do. And he basically just plucked Stigall out of cyber criminal obscurity and got him to do these hacking operations that was successful enough that he was allowed to recruit other criminal criminals into the hacking operation. And then it sort of, about a decade later, got formalised when they started to recruit young hackers from capture the flag operations. Now, some of the operations they do just seem like totally bizarre to me. So prior to the invasion of Ukraine, they were trying to foment dissent with a graffiti campaign across Ukraine. And they would recruit people on Telegram, pay them money to write graffiti, and it was like, graffiti.
[14:36]
Patrick Gray
I mean, that's cool, right? As far as foreign intelligence, you know, sabotage operations, that's cool. But you know what's cooler, Tom? You know what's cooler? Smuggling in a bunch of fake demountable homes deep behind enemy lines, stuffed with drones that then fly off and start blowing up strategic bombers. I mean, if I had to choose between the graffiti campaign or the. It's so hard, right?
[15:00]
Tom Uren
Well, what stuns me about this is is that the reason the Insider knows about this is they found some documents on a server that the GRU had left behind, just stopped using it, left their materials on there, and it had cryptocurrency addresses. And those cryptocurrency addresses paid some of the graffiti artists air quotes, and it was hundreds of thousands of dollars used in this campaign. That's a lot of money to spend on graffiti. Now, the serious side of this is they do some stuff that strikes me as bizarre and then they do other stuff that is terrifying. So using the. Basically the same sort of techniques, recruiting people over Telegram, they've tried to get people all across Europe to basically do sabotage in recent years. So that's like setting fires, targets like warehouses, shopping malls. And they've also got more ambitious plots, which, like. So according to the Insider, it's smuggling incendiary devices encased in sex toys and cosmetics aboard DHL cargo planes bound for North America. So that's.
[16:06]
Patrick Gray
You wouldn't want to accidentally use one of those sex toys. Yeah, the incendiary device in it, that. That would be a bad time.
[16:14]
Tom Uren
And so the report also looks at the culture of where it's basically just anything goes. So the people at the head of the hacking unit, the most recent head, is quite corrupt. So they're setting up deals where their mistress is the beneficiary of GAU funds and they travel around the country on junkets. And so it seems like the ultimate reason that they got into hacking is just because they felt like it and they could.
[16:47]
Patrick Gray
Yeah, but I mean, you know, you mentioned, you mentioned hack and leak earlier. Is there anything else they're doing? Like, is there anything at all interesting about some of the hacking stuff that this unit does?
[16:57]
Tom Uren
Some of the material they've hacked has turned up as some of the COVID laboratory, you know, that conspiracy theory that the US was involved in biological warfare labs in Eastern Europe. So some of that has reached the kind of mainstream media at times.
[17:18]
Patrick Gray
They were fabricated documents, I'm guessing, with a few real ones sort of sprinkled in. Right.
[17:23]
Tom Uren
I think as far as I can tell, it was all made up. Or they take elements of truth and twist them.
[17:30]
Patrick Gray
That's more of an information operation than a cyber campaign, I guess. Like, I'm just wondering if they. Have they done anything cool in cyber, it sounds like. Not really. Apart from just get paid.
[17:38]
Tom Uren
No. Yeah. None of the operations I had heard of before, so there's lots of them, but nothing that had sort of peaked above my radar.
[17:50]
Patrick Gray
Yeah, well, I guess the. Well, you know, it's as you said, right. They got into it because they felt like it. It's not really advancing any objective, but it's nasty. So it seems very much like a GRU kind of operation. As you said. Part time hackers. Full time assholes. Tom, we will wrap it up there, mate. Thank you so much for joining me to talk through all of that. Fascinating as always. Again, if you're not subscribed to Tom's newsletter, it goes out once a week. Week. And you can subscribe to it at Risky Biz. Just head over to the newsletters section and yeah, you'll find both of our newsletters there. Great to chat to you, mate. And we'll do it again next week.
[18:24]
Tom Uren
Cheers, thanks, Patrick.