Newsletters

Fraudulent North Korean IT workers are pivoting into new regions as it becomes more difficult for them to get jobs in the United States. The bad news is they are also employing new tactics that make them more dangerous. 

For several years North Korea has used IT workers to raise revenue for the regime in addition to its cryptocurrency hacking efforts. These workers use fake identities and seek legitimate remote jobs across a range of industries. They are paid wages, but also leverage their privileged access to enable cyber intrusions. 

In a report released this week Google's Threat Intelligence Group said North Korean IT workers were widening their global operations, with a "notable focus" on Europe. This report, and similar research from insider risk management firm DTEX, were covered by Catalin Cimpanu in our sister publication Risky Bulletin. Catalin's write-up covers the history of the IT worker scam, who has been affected and resources to help identify potential North Korean workers.

North Korean IT worker schemes have expanded globally and are now heavily targeting European companies after a crackdown from US authorities last year.

Towards the end of 2024, North Korean workers started creating fake personas tailored for the European job market and seeking IT jobs at European small and large tech giants.

In a report this week, Google's security teams say they've spotted at least 12 fake personas linked to the Pyongyang regime.

Hackers are abusing a little-known WordPress feature named Must Use Plugins to install and hide malware from site administrators.

Also known as mu-plugins, the Must Use Plugins feature was added to the WordPress CMS in 2022.

Plugins placed in a special folder named /mu-plugins are automatically installed and enabled on a website without users needing to manually approve them.

The French government conducted last week a large-scale phishing test on over 2.5 million middle and high school students.

The test included a link in their school's digital workspace that advertised cheats and cracked games that redirected students to a phishing awareness video.

According to CNIL, France's privacy watchdog, over 210,000 students clicked the link, representing roughly one in twelve students.

The Trump Administration's cavalier disregard for common sense security protocols is blatantly inviting serious security breaches. This week exposed the absence of any kind of security culture at the highest levels of the US national security community.

The story of how The Atlantic editor in chief was inadvertently added to a high-level US national security discussion covering plans for military action against Houthi rebels in Yemen has been well covered in the media, so we won't rehash it all.

In short, The Atlantic's Jeffrey Goldberg was added to a Signal group chat in which senior US officials discussed plans for military action against Houthi rebels in Yemen. The group chat included Vice President J.D. Vance, Defence Secretary Pete Hegseth, CIA Director John Ratcliffe and Director of National Intelligence Tulsi Gabbard, among others. 

Ukraine's state railway company says that a "massive targeted cyber attack" has taken down its online ticketing system over the weekend.

The incident took place on Sunday night. In a Facebook post, Ukrzaliznytsia blamed the incident on "the enemy," a term Ukrainians use to describe Russia.

The company's website is currently down, and officials are restoring from backups. The incident was very likely a data wiper attack, which Russian hackers have employed on numerous occasions since Russia's invasion in February 2022.

I'll start this newsletter edition by saying from the get-go that today's topic—the Year 2038 problem—isn't new at all.

It has a Wikipedia page dating back to 2005, a 2009 XKCD comic, and was at the center of a Guardian article back in 2014.

It was a tweet from security researcher Pedro Umbelino last week that reminded me of this problem and how close to its deadline we have gotten—because, yes, everyone gets old!

An anti-regime hacktivist group has claimed credit over a cyberattack that crippled the on-ship communication systems of 116 Iranian ships.

The ships are operated by the National Iranian Tanker Company (50) and the Islamic Republic of Iran Shipping Company (66).

According to Nariman Gharib, a London-based Iranian cyber espionage investigator, the alleged affected vessels are these ones.

China ramped up its name and shame cyber rhetoric this week when it identified and threatened four Taiwanese individuals it alleges are involved in cyber operations targeting the mainland. 

The four were named in a Chinese Ministry of State Security (MSS) Weixin post that published the names, passport-style photographs, birthdates, ID numbers and job titles within Taiwan's Information Communication Electronic Force Command (ICEFCOM). The unit was set up in 2017 and brings together the Ministry of National Defense's communication, cyber and electronic warfare units. 

This is the second time that the MSS has doxxed Taiwanese military hackers. In September of last year it published the identities of three other alleged cyber operators, but without some of the more granular identifying details.

China's main intelligence agency said on Monday that a branch of the Taiwanese military is behind an APT group known as PoisonIvy and GreenSpot.

China's Ministry of State Security (MSS) says a cyber warfare center (Network Environment Research and Analysis Center) inside the Taiwan Information, Communications, and Electronic Force Command (ICEFCOM) is behind the APT group's operations.

The MSS accused ICEFCOM of hacking Chinese government agencies, military targets, organizations in China's critical sectors, and private sector companies.