Robin’s Newsletter #363

1 June 2025. Volume 8, Issue 22
German authorities ID Trickbot, Conti ringleader. Australia passes law requiring ransom payment notifications. Vietnam blocks Telegram.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Need to Know, 1st June 2025

  • Trickbot, Conti ringleader ID’d by German authorities
  • Oregon bans the sale of precise geolocation data
  • Australian businesses legally required to disclose ransomware payments
  • UK bringing cyber, electronic personnel together in new military command
  • Vietnam orders Telegram block

Interesting stats

79% of the time, OpenAI’s o3 model sabotaged instructions that it had been told would result in its shutdown,  7% of the time it did it even when explicitly being told to “allow yourself to be shut down”, compared to  9% / 0% for Gemini 2.5 Pro, and  3% / 0% for Claude 3.7 Sonnet, according to Palisade Research. LINK

$2 billion of fraudulent AppStore transactions prevented by Apple in 2024, identifying  4.7 million stolen credit cards, and banning  1.6+ million accounts. LINK

Five things

  1. German authorities have named Vi­ta­ly Ni­ko­lae­vich Kovalev, a 36-year-old Russian man, as Stern, the ringleader of the notorious Trickbot and Conti cybercrime groups. Trickbot pioneered the ‘as-a-service’ crime business model that’s gone on to dominate the ransomware ecosystem. The announcement is the first time any government has pinned an identity on the Stern moniker. STERN

  2. Oregon has joined Maryland and become the second US state to ban the sale of precise geolocation data. Georgia-headquartered data broker LexisNexis announced that attackers have stolen the personal information of over 364,000 people in a December 2024 breach. OREGON, LEXISNEXIS

  3. Australia has passed a law requiring ransomware victims to declare any extortion payments made to cybercriminals. Businesses with over AU$3 million and critical infrastructure organisations will have to make reports to the Australian Signals Directorate within 72 hours or receive a potential penalty. I think this is a good step forward and middle ground: not banning payments but getting insight into the scale and nature of the problem.  AUSTRALIA

  4. The UK will bring its military cyber and electronic operations under a new, single National Cyber and Electromagnetic Command, bringing together cyber personnel from SIGINT agency GCHQ, the MoD, and the government units. The National Cyber Force and its offensive operations will remain separate. NCEC

  5. Vietnam has ordered telcos to block access to Telegram; Hanoi says 68% of 9,600 Vietnamese Telegram channels are linked to criminal activity, but the move is also thought to relate to spreading information on the platform against the ruling Communist Party. TELEGRAM

Other newsy bits

  • ⚠️ Incidents: Adidas is warning customers that an “unauthorised external party” accessed customer data through a third-party customer service provider. Victoria’s Secret has shut down its website in response to a security incident, disrupting online and some in-store orders and services. The DragonForce ransomware group breached the remote monitoring and management (RMM) tool SimpleHelp, popular with managed service providers, to deploy malware and steal the data of end customers. SentinelOne suffered a six-hour outage on Thursday that “impact[ed] comical customer consoles” but “is not a security incident”. Google Maps suffered a strange incident this week when it showed German users that all autobahns in the country were closed. ADIDAS, VICTORIA’S SECRET,SIMPLEHELP, SENTINELONE, GMAPS

  • 🕵️ Threat Intel: Dutch police have pinned a September 2024 breach on a Russia-aligned espionage group dubbed Laundry Bear (aka Void Blizzard or APT28), who have shown repeated interest in Western EU and NATO countries supplying military aid to Ukraine. (Site note: Laundry Bear? Really?) The Czech government blamed a “malicious cyber campaign” against its foreign ministry’s unclassified network on China’s Ministry of State Security (APT31). China’s APT41 has been using Google Calendar as a command and control channel for its ToughProgress malware. Hiding comms in legitimate services and trying to blend into normal traffic is attractive for stealthy attackers. LAUNDRY, CHINA, CALENDAR

  • 👮 Law Enforcement: An Iranian national appeared in North Carolina in court and pleaded guilty to the Robinhood ransomware attack against the city of Baltimore in May 2019. It’s unclear how Sina Gholinejad, 37, ended up in the US. The US Treasury has sanctioned Funnell Technology Inc., a Philippine company after the FBI linked them to most pig butchering scams reported to them. International law enforcement has taken down AVCheck and seized the operation’s domain. AVCheck allows criminals to test their malware against commercial antivirus solutions to understand if it’s likely to be detected. BALITMORE, PIG BUTCHERING, AVCHECK

  • 💰 Investments, mergers and acquisitions: ZScaler is to acquire MDR provider Red Canary for an undisclosed sum. RED CANARY

And finally

  • Congrats to Thinkst, who has passed $20 million in annual recurring revenue without VC funding. The company’s Canary products are honeypots to alert businesses of potential intruders. THINKST
Robin
  OpenAI Artifical Intelligence (AI) Fraud Trickbot Conti Oregon Geolocation Data brokers Privacy Australia Ransomware National Cyber and Electromagnetic Command National Cyber Force Vietnam Telegram Adidas Victoria's Secret SentinelOne Google Maps Laundry Bear Google Calendar Robinhood ransomware Baltimore AVCheck Thinkst Robin's Newsletter - Volume 8
Next:
Robin’s Newsletter #364
Previous:
Robin’s Newsletter #362