Newsletters

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Despite US indictments, Russian ransomware developers and affiliates appear unaffected and live relatively freely in Russia.

This week the UK's Daily Mail was able to track down Russian Yevgeniy Polyanin at his home in the Siberian city of Barnaul. Polyanin was the subject of a US indictment unsealed earlier this month and is accused of being a ransomware affiliate and extorting over USD$13m from victims.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

It's Thanksgiving week in the USA which means the news tempo has slowed a bit. That means we can dive in and look at some topics that aren't getting as much attention as they deserve. This week we're taking a look at a series of new Chinese laws designed to strengthen its cyber security over time while bolstering state control over technology companies. Come with us on this magical journey through Chinese legislation and regulation! It'll be fun, we promise!

We're looking at three distinct laws here. At the beginning of this month the Chinese government's Personal Information Protection Law (PIPL) came into effect. The PIPL is basically China's answer to the European GDPR (although more stringent) and sets rules regarding how businesses can use and share personal information.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Israel's Government must decide if it values its relationship with the US more than the benefits it gains from playing fast and loose with powerful cyber espionage capabilities.

For many years the interests of the Israeli government and companies that export offensive cyber tools — such as NSO Group in particular, but also Candiru — were aligned.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

A wave of international action against ransomware demonstrates the effectiveness — and the limits — of coordinated action. The actions involved arrests coupled with unsealed indictments, cryptocurrency seizures, cryptocurrency exchange sanctions and multimillion dollar rewards for information about Darkside or REvil leadership and affiliates. Some of these actions will directly affect the ransomware ecosystem, but the doxxing and rewards appear intended to make life deeply uncomfortable for criminals in bullet-proof jurisdictions like Russia.

Europol announced seven ransomware affiliate arrests, five for involvement in REvil/Sodinokibi ransomware and another two for involvement with GandCrab. The arrests occurred around the world: two people in Romania, three in South Korea, one in Kuwait and one in Poland at the request of the US.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

US Cyber Command was involved in a campaign targeting the REvil ransomware gang that resulted in the group scattering. The unofficial attribution to USCYBERCOM, via Ellen Nakashima's report in the Washington Post, should deliver a significant psychological impact to the ransomware scene.

The report says USCYBERCOM used stolen or cracked key material to spin up a fake duplicate of the ransomware crew's Tor .onion server. This spooked the REvil group enough to take a serious look at its infrastructure. From there, it discovered a historical server breach, apparently conducted by a US partner's security agency. This really gave the REvil team the willies.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Espionage efforts that target cloud and managed services to enable access are becoming the new normal.

This week Microsoft announced it had detected further espionage activity from the Russian state actor it calls Nobelium (aka APT29 and Cozy Bear), the one responsible for the Holiday Bear campaign and part of Russia's foreign intelligence service, the SVR.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

In the first possible sign of offensive cyber operations against ransomware crews, REvil's Tor payment portal and data leak site were hijacked. As a result REvil has again shut down its operations for a second time this year, hopefully for good.

REvil first disappeared shortly after its July mass compromise of Kaseya customers, after its leader and spokesperson UNKN disappeared and was presumed dead (or perhaps absconded with the group's money). REvil resumed operations after a couple of months using its previous infrastructure, including the same access keys, but now they've been spooked by someone compromising their servers, apparently in an effort to identify other gang members.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

The Biden White House's ransomware summit kicked off today and it wasn't the empty stunt we expected it to be.

We had been wondering what prompted officials from the Netherlands, UK and Australia to signal a more aggressive, military and intelligence agency-backed response to the ransomware threat, and now we know: They were sharpening up their policy positions ahead of the White House-coordinated meeting.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Keyword and geofence warrants that tap into the panopticon of Google's data holdings feel a bit creepy, but these searches can be both targeted and proportional. They are a valuable investigative tool and should have oversight and limits applied to them rather than being banned.

Geofence warrants provide law enforcement with details of devices (and hence potential suspects) at the scene of a crime at a specific time. These warrants have been used extensively to identify participants in the January 6 Capitol riots and are increasingly common — Google received over 11,000 of these warrants in 2020.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Chinese firms are so closely interlinked with the Chinese government that they cannot be trusted in critical infrastructure. The release of two Canadians held by China immediately after Huawei CFO Meng Wanzhou struck a plea deal and returned to China, proves it.

"Huawei Princess" Meng Wanzhou, Huawei founder Ren Zhengfei's daughter, had been under house arrest in her two Vancouver mansions for three years as the US sought her extradition in relation to Huawei's alleged sanction-breaking dealings with Iran. Two Canadian citizens, Michael Kovrig and Michael Spavor (often referred to as the two Michaels) were detained in China in apparent retaliation nine days after Meng was arrested in Canada in December 2018.