Robin’s Newsletter #376

31 August 2025. Volume 8, Issue 35
Salt Typhoon comp'd over 200 organisations. Anthropic says cybercrims run ransomware ops using Claude. SK Telecom lacked pretty much any security.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

A condensed format this week because I’m travelling.

  • The FBI says Salt Typhoon compromised at least 200 US companies, substantially more than the nine telcos previously disclosed. US authorities have attributed Salt Typhoon to a Chinese-backed group. When news of the campaign originally broke, the emphasis was on the theft of call records useful for espionage purposes. A joint advisory from US, Australian, Canadian, New Zealand, UK, Czech, Finnish, German, Italian, Japanese, Dutch, Polish, and Spanish intelligence this week warns that the group’s interests are broader. The group “focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers” to siphon off Internet traffic. SALT TYPHOON, ADVISORY (PDF)

  • Anthropic issued a report this week saying cybercriminals had used its systems to commit large-scale, automated campaigns. Amongst the six ‘case studies’ were North Korean’s scaling their fraudulent IT worker scams, vibe coding AI agents to improve data extortion operations, and an AI-generated ransomware-as-a-service campaign. Anthropic was quick to point out that they have “developed sophisticated safety and security measures to prevent the misuse of our AI models”. It’s great that they are sharing details (the report is an interesting read), but obviously not great that you could use their platform to run an entire ransomware attack. (h/t Tim) ANTHROPIC, MORE, REPORT (PDF)

  • South Korea’s privacy commissioner has fined SK Telecom (SKT) a record ₩134.5 billion ($97 million) for failing to secure its customers’ information. SK disclosed a staggering breach in April this year, requiring it to offer replacement SIMs to its 27 million subscribers (South Korea’s population is 50 million). The Personal Information Protection Commission (PIPC) report is damning, with failures at every turn: SK “did not even implement basic access controls”, it did not monitor IDS logs, stored 4,899 credentials for 2,365 servers in plaintext on a management server, did not encrypt the USIM authentication keys for its subscribers, and more. It’s a staggering lack of cyber security consideration. SKT

Interesting stats

76% of CISOs feel at risk of experiencing a material cyberattack in the next 12 months, though just  58% say they are unprepared to respond, and  66% say they would consider paying a ransom to prevent data leaks or restore systems, according to a survey of 1,600 CISOs by Proofpoint. LINK

$1.5 million stolen by a BEC scammer who tricked The City of Baltimore into changing the bank details of a contractor. LINK

In brief

  • ⚠️ Incidents: Salesforce breaches rumble on: Farmers Insurance has disclosed a breach affecting 1.1 million customers, the latest in a string of Salesforce CRM compromises for high-profile brands. Credit agency TransUnion has disclosed a breach impacting over 4.4 million people, though it says “no credit information was accessed”. Google security researchers believe that over 700 organisations may have been compromised after UNC6395 (potentially linked to ShinyHunters or Scattered Spider) compromised Salesloft’s SalesDrift AI chat integration, and used OAuth tokens to access customer environments. FARMERS, TRANSUNION, SALESLOFT

  • 🧿 Privacy: Department of Government Exfiltration: A Social Security Administration whistleblower says that the Department of Government Efficiency (DOGE) employees made a copy of 450 million Social Security records to a cloud environment that “circumvents oversight”, leaving the personal data of hundreds of millions of Americans at risk of compromise. SOCIAL SECURITY

  • 🕵️ Threat Intel: Fake NDAs: Threat actors are targeting industrial and tech companies with malware-laden fake ‘non-disclosure agreements’ (NDAs) in PDFs submitted via contact forms on the target’s website. Some organisations trust submissions via these more than general enquiry emails, and they may bypass other security protections. NDAs

  • 🪲 Vulnerabilities: Citrix NetScaler admins need to patch three vulnerabilities, including a critical remote code execution issue (CVE-2025-7775; 9.2/10). CITRIX (ADVISORY)

And finally 

  • Dan Goodin, senior security editor at As Technica, has written a takedown of the “Passkeys Pwned” presentation given on the main stage at this year’s DEFCON. Instead of “[breaking] the myth that passkeys cannot be stolen”, Goodin points out that the research relies on a compromised web browser — not something passkeys are intended to protect against, and at that point, broadly, all bets would be off. Coincidentally, the researchers all work for a browser security company. DEBUNK, PRESENTATION
Robin
  Salt Typhoon Telecommunications Espionage Anthropic Cybercrime North Korea South Korea SK Telecom Personal Information Protection Commission (PIPC) Business Email Compromise (BEC) Salesforce Salesloft Farmers Insurance TransUnion Citrix Passkeys Pwned Artificial Intelligence (AI) Robin's Newsletter - Volume 8