Robin’s Newsletter #370

20 July 2025. Volume 8, Issue 29
Data on 6.5M Co-op members stolen. UK MoD kept Afghan data breach a secret using super-injunction. Salt Typhoon all up in National Guard's network.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Need to Know, 20th July 2025

  • Co-op boss says data on all 6.5 million members stolen
  • UK MoD used super-injunction to prevent reporting of 2022 Afghan data breach
  • Salt Typhoon were in a state’s National Guard network for nine months
  • Microsoft extends support for legacy Exchange, Skype for six months
  • Edinburgh-based MSS business Adarma goes into administration

Interesting stats

$2.17 billion in crypto was stolen in the first half of 2025, surpassing the total stolen in the whole of 2024, and mostly attributable to North Korea, according to Chainalysis. LINK

Five things

  1. Co-op chief executive Shirine Khoury-Haq says she is “incredibly sorry” for the attack against the UK retailer and has confirmed that the personal information of all 6.5 million members has been stolen. Cybercriminals made off with names, addresses, and contact information, although thankfully, no financial or transaction data was compromised. Co-op does not expect to make “any significant recovery” of response costs, having chosen to invest in detection systems rather than cyber-insurance policies. In her first interview since the breach, Khoury-Haq also announced a partnership with The Hacking Games, a business that seeks to match unconventional talent and those at risk of falling into cybercrime with cyber security employment. In other retail cyber news: Fellow UK retailer M&S reinstated its Sparks loyalty scheme this week, and is offering staff and contractors a ‘thank you’ discount. UNFI, Whole Foods’ primary distributor, expects to lose $400 million in lost sales and a $50 million profit hit after its breach (direct costs for workarounds totalled $20 million, with $5 million spent on remediation efforts). INTERVIEW, MORE, M&S, UNFI

  2. Afghan breach: The UK government lost the details of 19,000 Afghans who helped British forces and the identities of 100 British officials, including members of the special forces and intelligence services. The breach occurred in February 2022 but was not discovered until August 2023. Since then, reporting on it has been prevented through the use of a “super-injunction” — a gagging order issued by the court, which prevents reporting of both the incident and the gagging order itself. The Ministry of Defence sought the super-injunction as it believed the lives of up to 100,000 people may be in danger of reprisal attacks from the Taliban. The breach was caused by someone working at UK Special Forces headquarters accidentally emailing over 30,000 resettlement applications when they intended to share only 150. (That sounds suspiciously like sending a filtered spreadsheet, to me.) The breach was ‘detected’ after the data was posted on Facebook, raising questions not only about data handling, but also UKSF detection processes. There are broader constitutional questions as well, with MPs and select committees unable to ask questions because they were unaware of the issue. AFGHAN

  3. China’s Salt Typhoon group gained access to at least one state’s National Guard network for nine months in 2024. Network and physical maps, along with personal information of service members, were compromised, according to a Department of Homeland Security memo obtained by a Freedom of Information Act request. As well as being involved in state-level emergencies, many operate as part of ‘fusion centres’ with state and local police, potentially providing access to useful counterintelligence information. NAT. GUARD

  4. Microsoft is extending security update support for six months on Exchange Server 2016 and 2019, and Skype for Business 2015 and 2019, as customers struggle to complete migrations ahead of the original October 2025 timeline. Microsoft sees this as a one-time thing, with its post stating that “This period will not be extended past April 2026 (you do not need to ask)”. EXCHANGE

  5. Adarma, an Edinburgh-based managed security business, has entered administration. Over 170 staff have been made redundant, with a handful retained to assist administrators Interpath Advisory. The firm had struggled to turn a profit, requiring a scaled customer base to make profits on a fixed cost base. Private equity firm Livingbridge had been a backer since 2019 and withdrew its support for further funding three months ago. There are a bunch of talented security professionals in Scotland and across the UK now seeking employment. If you’re hiring, it’s worth a quick scout of LinkedIn to check out anyone who may be a good fit and is immediately available. ADARMA

In brief

  • Air Serbia has reportedly delayed issuing payslips as it battles with a cyberattack that may have been carried out by some of the Scattered Spider group. SERBIA

  • It’s always DNS: DomainTools researchers have found threat actors hiding chunks of malware in TXT records of domain names. The researchers also found some TXT records containing prompts, presumably designed to interfere with AI agents and large language models. DNS

  • Sonicwall: Google Threat Intelligence Group says that unknown actors are exploiting end-of-life SonicWall SMA 100 series VPN devices, potentially using an unknown vulnerability, to infect them with the OVERKIT rootkit. SONICWALL 

  • Cisco has patched a third ‘perfect 10’ vulnerability in its Identity Services Engine (ISE), the third such severity issue in a month. CVE-2025-20337 allows an unauthenticated, remote attacker to run arbitrary code with root-level privileges. Get patching. CISCO (ADVISORY)

  • Railroaded: The US rail industry has finally committed to replacing a control system on freight trains that has been operating for over ten years with a vulnerability that could allow attackers to control the brakes and stop trains. TRAINS

  • Nvidia GPU memory chips are vulnerable to Rowhammer attacks. Mitigations are available for sensitive applications, though these come with a 10% performance hit. NVIDIA

  • Russia: The UK has sanctioned 18 Russian military intelligence personnel from Voodoo Bear, Fancy Bear, and the WhisperGate malware this week for involvement in cyberattacks, espionage, and murders. RUSSIA

And finally

  • Microsoft is changing its support arrangements so that engineers in China will no longer support US Department of Defense systems. Sovereignty for such activities seems sensible, and while Microsoft says these engineers were “supervised” by those with US security clearances, those individuals didn’t always fully understand what they were supervising.  DOD
Robin
  Co-op Scattered Spider The Hacking Games Marks & Spencer North Korea Afghanistan Super-injunction UK Special Forces Microsoft Adarma Salt Typhoon Sovereignty Robin's Newsletter - Volume 8
Next:
Robin’s Newsletter #371
Previous:
Robin’s Newsletter #369