Robin’s Newsletter #360

This week

• SignalGate was actually TeleMessage; the app is a mess
• SK Telecom projecting $5 billion revenue loss over three years
• CrowdStrike announces revenue up, 500 layoffs
• US National intelligence director reused trivial passwords for personal accounts
• Reduction in 2024 ransomware claims, says Coalition
• Increasing China cyber threat

Interesting stats

60% of 2024 claims were for business email compromise incidents, and  7% reduction in ransomware claims, with each averaging  $292,000 in losses, according to insurer Coalition. LINK

Five things

1. China is “well on its way to becoming a cyber superpower”, according to Pat McFadden, Chancellor of the Duchy of Lancaster (title given to the second most senior Cabinet Office minister, after the Prime Minister). The remarks were delivered at NCSC’s flagship conference, CYBERUK, in Manchester, and were echoed by NCSC CEO Richard Horne. McFadden tried to strike a balance, suggesting that the UK Government would ‘engage constructively’ whilst also cautioning that “are likely to be permanent features of this new global order, there is no point in pretending otherwise”. In his own address, Horne said that the UK intelligence community sees a “direct connection” between Russian cyberattacks and sabotage plots. CHINA, RUSSIA

2. TeleMessage, the Signal clone at the heart of the SignalGate saga, was compromised, and the company has gone to ground. The use of Signal by senior US government officials to discuss military action was widely panned by those on both sides of the political spectrum (vol. 8, iss. 13). Now it turns out that it wasn’t Signal per se that they were using. Instead, it was a fork of the popular end-to-end encrypted chat app by an Israeli company called TeleMessage. The spin-off contained features for archiving messages — useful for those official records — though the security of the platform and how it processed those messages is a mess and leaves more than a little to be desired. Following increased scrutiny and reports of a compromise that included names, contact information, and credentials for the system’s backend administration interface, the company took down the service and has deleted its website. LINK, MESS, SUSPENSION, DEEP DIVE

3. SK Telecom, a South Korean mobile carrier, has provided further details of the attack against it, which has necessitated it replacing all of its subscribers’ physical SIM cards (vol. 8, iss. 18). As expected, the incident involves the compromise of a central database containing the cryptographic information used to authenticate and protect subscribers’ connections between their handsets and the mobile network. Other systems also appear to have been compromised, with over 25 different types of personal information potentially being purloined by attackers. SKT chief executive Young-sang Ryu told a hearing that around 250,000 users have switched to another network already, and up to 2.5 million subscribers, worth around $5 billion in revenue over the next three years, may be lost if the company waives exit fees. This is definitely ‘telco worst nightmare’ territory. LINK

4. CrowdStrike is laying off 5% of its workforce (around 500 people), while revenues soared 29% year on year, with CEO George Kurtz telling employees that “These changes position us to move faster, operate more efficiently, and continue our cybersecurity leadership”. (A federal judge gave the go-ahead for a class action lawsuit against Delta Air Lines outage caused by the CrowdStrike upgrade fiasco this week.) CROWDSTRIKE, DELTA

5. WIRED is reporting that Tulsi Gabbard, the US director of national intelligence, used the same easily cracked password for multiple accounts over many years, though it clarifies there is no indication she used the same password on government accounts. It’s not a good look. While in opposition, Gabbard sat on various intelligence and foreign affairs committees, where she would have received classified information and briefings. Referring to data breaches in which Gabbard’s password was compromised, a spokesperson said, “The data breaches you’re referring to occurred almost 10 years ago, and the passwords have changed multiple times since”. It’s not a good look. Please use a password manager to generate unique passwords for each site and app you use. Both Android and iOS have ones built in, as do web browsers, plus other dedicated services like 1Password, LastPass, and Bitwarden. LINK

In brief

• ⚠️ Incidents: Venture capital firm Insight Partners has confirmed that personal data of current and former employees and some of its limited partners (investors) was stolen during a January 2025 cyber attack. Credentials belonging to a CISA and DOGE employee have appeared multiple times in infostealer logs. Kyle Schutt is part of the Trump administration team trying to improve government efficiency; the security practices of the team, which is accessing many sensitive and critical systems, have repeatedly been questioned, and this only raises further questions about the security of Schutt’s device and others on the DOGE team. UK academic publisher Pearson says that “legacy data” was compromised by attackers who gained access to a development environment using an exposed GitLab access token. The UK’s Legal Aid Agency has suffered a cyber security incident that may have exposed financial information. The LAA administers around £2.3 billion in legal aid funding and works with around 2,000 barristers, solicitors, and other providers. INSIGHT, DOGE, PEARSON, LAA

• 🕵️ Threat Intel: The StealC info steal malware has received a major update. A second wave of compromises of unpatched SAP NetWeaver instances is underway, according to Mandiant. Pro-Russian group NoName057(16) has launched DDoS attacks on council and police websites, citing the UK’s involvement in the Ukraine conflict as the cause for their attacks. No honour amongst thieves: the PowerSchool attacker is ransoming individual school districts, despite being paid by PowerSchool themselves. STEALC (ANALYSIS), SAP, NONAME, [POWERSCHOOL](https://therecord.media/despite-ransom-payment-powerschool-extorting

• 🛠️ Security engineering: Daniel Stenberg, the founder of open source project Curl, says the volume of AI-generated “slop” bug reports is effectively a DDoS attack on the projects maintainers. All future reports will require a submitter to indicate if AI was used and, if so, will be required to provide greater levels of proof to combat the requests, citing that the project has not received a single valid AI-generated bug report. BUG REPORTS

• 🏭 Operational technology: CISA says that low-sophistication attackers and capitalising on poor security hygiene in the energy and transport sectors compromise SCADA and ICS systems. ENERGY/TRANSPORT

• 📜 Policy & Regulation: A Florida state bill that would have required social media companies to implement encryption backdoors has been “indefinitely postponed” (good!). FLA BACKDOORS

• 👮 Law Enforcement: US, Dutch, and Thai authorities have dismantled two residential proxies and indict three Russian nationals. The Anyproxy and 5socks networks compromised home routers of individuals and then sold this access to cybercriminals and attackers looking to mask their nefarious traffic. The US Treasury has sanctioned a Myanmar militia group, the Karen National Army (KNA), and its leader, Saw Chit Thu, for involvement in romance scams and other cybercrime activities. PROXIES, MYANMAR

• 💰 Investments, mergers and acquisitions: AI-generated code security startup Ox Security has closed a $60 million Series B funding round. OX SECURITY

And finally 

• This week, could you please do me a favour and share this newsletter with someone you think will find it interesting or useful? rto.me.uk/newsletter