{ "id": "7d5f0337-e98f-4b78-aa8e-94ce9b85ece2", "created_at": "2026-04-06T00:13:07.885003Z", "updated_at": "2026-04-10T03:34:00.673436Z", "deleted_at": null, "sha1_hash": "67632a66481dc70a74e70e5e90f679acc2b9afea", "title": "Recent Cyber Chaos is a Structural Shift", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3860615, "plain_text": "Recent Cyber Chaos is a Structural Shift\r\nBy Tom Uren\r\nPublished: 2023-09-14 · Archived: 2026-04-05 14:48:22 UTC\r\nYour weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the\r\nCyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.\r\nFrom crypto thieves to ransomware attackers and state-backed groups hellbent on sowing chaos, it's been a rough month in\r\nthe cybers. But what does this recent chaos tell us about where policymakers' heads should be? First, let's look back at what's\r\nbeen happening.\r\nThis week, The Record reported that Balkan country Bosnia and Herzegovina was hit by a ransomware attack that crippled\r\nthe country's parliament. This follows a late-August Cuba ransomware attack on the government of Montenegro and an\r\nApril Conti ransomware attack on the government of Costa Rica. The Chilean government also suffered a crippling\r\nransomware attack.\r\nEven leaving aside the invasion of Ukraine, destructive state-backed cyber attacks are also on the rise. Iran attacked\r\nAlbanian government systems in mid-July. Albania claims it was attacked again earlier this month after it severed\r\ndiplomatic ties with Iran in protest. Meanwhile, Iran and Israel's ongoing, destructive cyber tit-for-tat continues. \r\nEffective, genuine hacktivists — as opposed to state-backed operators masquerading as hacktivists — are also coming out of\r\nthe woodwork. This week, a group calling itself Guacamaya, the Mayan word for macaw, released 10TB (Yes! That's a T!)\r\nof emails and files from Latin American military and police units. The group, which says it is motivated by environmental\r\ndegradation and repression of indigenous populations in Central and South America, has been active since at least March\r\nthis year. In its first publicly known hack, it compromised a mining company operating in Guatemala and shared documents\r\nwith Forbidden Stories, the journalist collaboration network, which operates so that \"killing the journalist won't kill the\r\nstory\". This leak appeared in March as the \"Mining Secrets\" series of articles on Forbidden Stories.  \r\nhttps://srslyriskybiz.substack.com/p/recent-cyber-chaos-is-a-structural\r\nPage 1 of 6\n\nScreen capture from Guacamaya’s recent video\r\nThis week's release is Guacamaya's fourth since March and it has also compromised mining and oil companies and\r\ngovernment offices in a number of different countries. In each case it releases data via Enlace Hacktivista, a website that\r\ndocuments hacker history, and/or via Distributed Denial of Secrets. Each release is accompanied by a statement, sometimes\r\na video, that documents the hacking process and, once, even a poem. \r\nThe Ukraine IT Army also claimed some success this week and claims to have hacked the personal data of mercenaries from\r\nthe Russian Wagner Group.  \r\nThis week The Record published a comprehensive overview of the Belarusian Cyber Partisans, covering the group's\r\nfounding, some of its successful operations and also interviews with its spokesperson Yuliana Shemetovets. This newsletter\r\nhas covered the activities of the Belarusian Cyber Partisans several times, and an early episode of our Between Two Nerds\r\npodcast discussed how the Cyber Partisans evolved to become a very effective group.\r\nEven teenagers, in the form of the Lapsu$ group, are chalking up some \"wins\". After being on a tear earlier this year, arrests\r\nin Britain and police investigations in Brazil seemed to have slowed Lapsu$ down until both Rockstar games and Uber were\r\nhacked by one of its members this week. The details of the Uber hack are interesting and this week's edition of the Risky\r\nBusiness podcast has an excellent dissection of \"Uber's very bad week\". \r\nAnd of course, massive cryptocurrency thefts continue — this week DeFi platform Wintermute lost USD$160m worth of\r\ncryptocurrency. \r\nThe abhorrent Kiwi Farms website we wrote about two weeks ago has also been hacked, perhaps even twice, by people\r\napparently trying to steal user information. Given the average Kiwi Farmer probably doesn't have amazing OPSEC, we think\r\nthe forecast is sunny with a 90% chance of heavy doxxing.\r\nhttps://srslyriskybiz.substack.com/p/recent-cyber-chaos-is-a-structural\r\nPage 2 of 6\n\nYou add up all these incidents — keep in mind they're all from the last month — and you have to wonder: are we the\r\nproverbial frog in boiling water? Just how did things get so f***ed up? How long has it been like this? We've seen various\r\nclasses of attackers hit the limelight over the years, but lately it feels like they're all causing problems at once. In our view,\r\nthis is a structural shift and not a coincidence.\r\nIf this is indeed the new normal it won't be enough for policymakers to target their efforts on either winding back the chaos\r\nor adapting to it, they'll need to do both. The only question is how those efforts should be divided in terms of focus and\r\nresources.\r\nA new Atlantic Council report examines whether 2021 changes to Chinese cyber security laws have had an effect on the\r\nresponsible disclosure vulnerabilities by the Chinese research community.\r\nWe don't entirely agree with the premise of the paper, which is that these laws could stifle vulnerability disclosure across\r\nborders. The paper cites Alibaba being punished after it privately told the Apache Software Foundation about the Log4J\r\nvulnerability as an example case where the laws might hinder disclosure. In this case, however, we think Alibaba wasn't\r\npunished for sharing information with the vendor — the law actually requires it — but was instead punished for not\r\npromptly informing the Ministry of Industry and Information Technology (MIIT).  \r\nSo it's perhaps not surprising then, that the report found the laws themselves didn't have a \"significant impact\". \r\nDespite this, the paper does find a definite trend towards decreased disclosure by Chinese entities, but much of this decrease\r\nis explained by the addition of Chinese security company Qihoo 360 to the US Entity List in 2020. Before then, Qihoo 360\r\ndominated Chinese vulnerability reports. Since it was added to the US government's naughty entities list its reports\r\nessentially evaporated, and other Chinese groups just haven't stepped up to replace its public research.\r\nThere are other factors at play too. There's no doubt the PRC wants to increase its control over its hacker community, which\r\nis cause for concern. But it's a concern that has little to do with Chinese vulnerability disclosure laws and more to do with\r\nthe PRC's intent, which can change faster than you can say \"Nancy Pelosi is visiting Taiwan\".\r\nDespite our quibbles with its premise, we are fans of the report's data analysis and think the recommendations are\r\ninteresting. In brief, they are:\r\n1. Harmonise vulnerability disclosure across the United States and allies\r\n2. Improve the quality and consistency of support of vulnerability discovery tools\r\n3. Track vulnerability disclosure patterns and \"invest against gaps\"\r\nThe first two are both sensible ideas and simply aim to make vulnerability disclosure practices both better (with better tools)\r\nand more global (by bringing in more countries). \r\nThe third recommendation is interesting, though. The paper speculates that by tracking vulnerability disclosures over time it\r\nmay be possible to see \"gaps\" where disclosures against a particular class or cluster of software significantly decline. These\r\ngaps could, for example, indicate that the easy bugs have been discovered. Or they could result from a change in laws in\r\nanother jurisdiction that impede disclosure. Regardless of the reason, the paper argues that the presence of gaps makes any\r\nvulnerabilities discovered there more valuable and would justify countercyclical investment to \"help incentivize further\r\ndisclosure against critical software and offset the effects of policies that limit disclosures\". \r\n1. A billion reasons to be happy: the Biden Administration has launched a federal grant program that will provide up\r\nto USD$1bn for state and local government cyber security upgrades.  \r\nhttps://srslyriskybiz.substack.com/p/recent-cyber-chaos-is-a-structural\r\nPage 3 of 6\n\n2. European cyber security rules for smart devices: The European Commission has proposed some pretty sensible\r\nregulation to improve the security of network connected devices in the Cyber Resilience Act. Manufacturers will\r\nhave to deliver products without known vulnerabilities and be able to deliver security updates, among other things. \r\n3. Going after ransomware top dogs: the US Joint Ransomware Task Force, which includes representatives from\r\nCISA, the FBI, the DOJ, cyber security companies and the private sector plans to prioritise \"operations to disrupt\r\nspecific ransomware actors\". More coverage at Risky Business News.\r\nA recent Proofpoint report examines an Iran-aligned threat actor TA453's use of a technique that it calls \"Multi-Persona\r\nImpersonation\" or MPI. Rather than trying to socially engineer a victim with a single persona, TA453 introduces a second\r\nattacker-controlled persona, often by cc'ing them into an ongoing email conversation in the cases that Proofpoint has seen.\r\nMPI leverages \"the psychology principle of social proof to prey upon its targets and increase the authenticity of the threat\r\nactor's spear phishing\".   \r\nRisky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of\r\ntrying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube\r\nhere. \r\nIn our latest demo, Mike Wiacek shows Patrick Gray how to hunt down and triage suspicious files within your enterprise\r\nusing Stairwell's file analysis and threat detection platform. \r\nCISA published its 2023-2025 strategic plan last week. It spells out four major goals for the agency: \r\n1. Spearhead national cyber defence efforts\r\n2. Reduce risk to America's critical infrastructure\r\n3. Strengthen whole-of-nation collaboration and information sharing\r\n4. Unify CISA capabilities\r\nhttps://srslyriskybiz.substack.com/p/recent-cyber-chaos-is-a-structural\r\nPage 4 of 6\n\nWell duh. Of course CISA would like to be better at everything, but the plan doesn't articulate how CISA will 'win' other\r\nthan perhaps by trying really hard. Many of CISA's goals require improved information sharing or increased visibility into\r\nrisks, so a plan to win might look like \"CISA will improve its information gathering to identify and fix the weaknesses in\r\nAmerica's cyber security posture\". Improved information, analysis, action.\r\nSomething like that would be nice… this newsletter isn't a fan of strategic plans that only consist of motherhood statements. \r\nThe Atlantic Council has an Issue Brief out this week examining the variety of Russian cyber actors. One key takeaway that\r\nresonated with us:\r\nThe Putin regime perceives that it benefits—and in many cases, does materially benefit—from leveraging the\r\nRussian cyber web [Ed: Cyber web? Really?] because it can claim deniability, has more power to wage covert\r\npolitical warfare below the threshold of outright war, and has potentially lower costs for cyber capabilities.\r\nCybercriminals also bring money into Russia, an increasingly important factor for a heavily sanctioned country\r\nwith a declining economy. Overall, the Putin regime has many incentives for continuing to allow cybercrime to\r\nthrive in Russia, as well as for creating front companies, leveraging cybercriminals and patriotic hackers, filching\r\nprivate company employees, and letting private military companies develop cyber capabilities. \r\nThe Washington Post reports the Pentagon is reviewing the conduct of its clandestine social media influence operations after\r\nsome of these actions were recently uncovered. The review is motivated by fears in government about the conduct of these\r\noperations.  The Post does a good job examining the issues and the article ends up reinforcing views we've previously\r\npublished. \r\n\"Our adversaries are absolutely operating in the information domain,\" a senior defense official told The Post . \"There are\r\nsome who think we shouldn’t do anything clandestine in that space. Ceding an entire domain to an adversary would be\r\nunwise. But we need stronger policy guardrails.\"\r\nThese types of operations have not been particularly effective and undermine the appeal of our democracies when they are\r\nuncovered. In other words, lots of risk, not much reward. We need more than stronger policy guardrails — we need to\r\nrespond in a way that is both effective and plays to the strengths of liberal democracies. That's not ceding the domain. That's\r\nbeing smart rather than responding reflexively because we don't like what Russia and China do on Facebook and Twitter.\r\nCasey Newton at The Verge has published a good examination of the increasing US political pressure on TikTok. Newton's\r\ntake: lawmakers have legitimate concerns about Chinese Communist Party influence over TikTok and it will be very\r\ndifficult to convince them that everything is ok. \r\nIn addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunes or Spotify) also\r\npublishes interviews. \r\nIn our last \"Between Two Nerds\" discussion Tom Uren and The Grugq how SIGINT agencies in different regions have\r\ndifferent cultures, and how these differences are rooted in the military traditions and hacker cultures of various countries.\r\nPoland refuses to cooperate with the EU in spyware scandal: Polish authorities are flat-out refusing to cooperate with EU\r\nofficials in the investigation into their abusive use of advanced spyware against its political rivals, the EU's PEGA\r\ncommittee said in a statement on Thursday.\r\nWe strongly condemn the fact that the Polish government has refused to collaborate with the Inquiry Committee\r\nby declining the invitation to the hearing and refusing to meet with the fact-finding mission next week. We\r\nbelieve that such meetings would give the Government opportunity to respond to reports about illegal use of\r\nintrusive surveillance against persons deemed as political opponents.\r\nhttps://srslyriskybiz.substack.com/p/recent-cyber-chaos-is-a-structural\r\nPage 5 of 6\n\nCatalin is shocked-not-shocked that the Polish government refuses to investigate the hacking of its political rivals\r\n(continued). \r\nIHG hackers come forward: Hackers describing themselves as a couple from Vietnam took credit for the hack of the\r\nInterContinental Hotel Group earlier this month. The duo told the BBC they gained access to the hotel's network after\r\ntricking an employee into downloading and installing malware on their system through a booby-trapped email attachment.\r\nThe hackers said they then found a password vault for several of the hotel group's internal systems, including its main\r\ndatabase, which was allegedly protected by a password of \"Qwerty1234.\" The hackers said they tried to install ransomware\r\non the hotel's network, but after failing, they just wiped the database instead, in frustration.\r\nWintermute crypto-heist: Cryptocurrency DeFi platform Wintermute said it was hacked and lost $160 million in a security\r\nbreach that took place on Tuesday, September 20. Most of the cryptocurrency security space appears to believe the attacker\r\nexploited a recently-disclosed vulnerability in an Ethereum vanity address generator tool to steal funds from Wintermute's\r\nmain ETH wallet. Wintermute's CEO said the company remains solvent and said they are still open to the idea of offering a\r\nbug bounty payout to the attacker if they return the stolen funds.\r\nweb3 is going just great@web3isgreat\r\nWintermute is named after the AI in the cyberpunk novel Neuromancer, written by William Gibson.\r\nWilliam Gibson @GreatDismal\r\nStartups or products named after characters in my books have never done too well. It's sort of like the Blade Runner curse,\r\nbut in reverse.\r\n2:41 PM · Sep 20, 2022\r\n63 Reposts · 426 Likes\r\nSource: https://srslyriskybiz.substack.com/p/recent-cyber-chaos-is-a-structural\r\nhttps://srslyriskybiz.substack.com/p/recent-cyber-chaos-is-a-structural\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://srslyriskybiz.substack.com/p/recent-cyber-chaos-is-a-structural" ], "report_names": [ "recent-cyber-chaos-is-a-structural" ], "threat_actors": [ { "id": "ae7c5e09-a79b-4dae-8ed3-f288b8d99810", "created_at": "2023-11-08T02:00:07.110982Z", "updated_at": "2026-04-10T02:00:03.416181Z", "deleted_at": null, "main_name": "Guacamaya", "aliases": [], "source_name": "MISPGALAXY:Guacamaya", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4f472ea8-b147-486d-8533-88f8036343a6", "created_at": "2024-01-23T13:22:35.081084Z", "updated_at": "2026-04-10T02:00:03.520098Z", "deleted_at": null, "main_name": "Cyber Partisans", "aliases": [], "source_name": "MISPGALAXY:Cyber Partisans", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434387, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/67632a66481dc70a74e70e5e90f679acc2b9afea.pdf", "text": "https://archive.orkl.eu/67632a66481dc70a74e70e5e90f679acc2b9afea.txt", "img": "https://archive.orkl.eu/67632a66481dc70a74e70e5e90f679acc2b9afea.jpg" } }