CyberWire Daily - Kimsuky gets kim-sunk.
Episode Date: August 12, 2025Hackers leak backend data from the North Korean state-sponsored hacking group Kimsuky. A ransomware attack on a Dutch clinical diagnostics lab exposes medical data of nearly half a million women. One ...of the world’s largest staffing firms suffers a data breach. Saint Paul, Minnesota, confirms the Interlock ransomware gang was behind a July cyberattack. Researchers jailbreak ChatGPT-5. A cyber incident takes the Pennsylvania Attorney General’s Office entirely offline. A new report quantifies global financial exposure from Operational Technology (OT) cyber incidents. Finnish prosecutors charge a Russian captain for allegedly damaging five critical subsea cables in the Baltic Sea. On our Industry Voices segment, we are joined by Sean Deuby, Semperis’ Principal Technologist, with insights on the global state of ransomware. Hackers take smart buses for a virtual joyride. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we are joined by Sean Deuby, Semperis’ Principal Technologist, who is sharing insights and observations on the state of ransomware around the globe. If you want to hear the full conversation, check it out here. Selected Reading Kimsuky APT Hackers Exposed in Alleged Breach Revealing Phishing Tools and Operational Data (TechNadu) Ransomware attack on dutch medical lab exposes cancer screening data of almost 500K women (Beyond Machines) Manpower discloses data breach affecting nearly 145,000 people (Bleeping Computer) Saint Paul cyberattack linked to Interlock ransomware gang (Bleeping Computer) Tenable Jailbreaks GPT-5, Gets It To Generate Dangerous Info Despite OpenAI’s New Safety Tech (Tenable) Pennsylvania Attorney General's Office hit by cybersecurity incident, shuts down digital infrastructure (Beyond Machines) New Dragos Report Estimates Over $300 Billion in Potential Global OT Cyber Risk Exposure (Business Wire) The 2025 OT Security Financial Risk Report (Dragos) Finland charges captain of suspected Russian ‘shadow fleet’ tanker for subsea cable damage (The Record) Free Wi-Fi Leaves Buses Vulnerable to Remote Hacking (SecurityWeek) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Hackers leak back-end data from the North Korean state-sponsored hacking group Kim Suki.
A ransomware attack on a Dutch clinical diagnostics lab exposes medical data of nearly half a million women.
One of the world's largest staffing firms suffers a data breach.
St. Paul, Minnesota confirms the Interlock Ransomware gang was behind a July cyber attack.
Researchers jailbreak chat GPT-5.
A cyber incident takes the Pennsylvania Attorney General's office entirely offline.
A new report quantifies global financial exposure from operational technology cyber incidents.
Finnish prosecutors charge a Russian captain for allegedly damaging five critical subsea cables in the Baltic Sea.
On our industry voices segment, we're joined by Sean Dubey, Sempros' principal technologist,
with insights on the global state of ransomware.
And hackers take smart buses for a virtual joyride.
It's Tuesday, August 12, 2025.
I'm Dave Bittner, and this.
This is your CyberWire Intel briefing.
Thanks for joining us.
It's great to have you with us.
Two hackers with the handles, Sabre and Cyborg,
leaked 8.9 gigabytes of back-end data
from North Korean state-sponsored hacking group Kimsuki,
citing ethical objections to the group's financial greed.
The leak, shared via distributed denial of secrets,
exposes Kimsuki's infrastructure,
fishing tools, malware source code, and operational logs.
It includes fishing kits targeting South Korean government sites,
cobalt strike loaders, reverse shells, SSH logs,
private certificates, and links to GitHub accounts and VPN purchases.
Kimsuki, known for espionage against South Korea and global entities,
now faces potential disruption as parts of its infrastructure are compromised.
While the exposure may hinder ongoing operations, experts note long-term impact is uncertain.
The breach offers valuable intelligence for cybersecurity analysts
to strengthen defenses and develop targeted countermeasures.
A ransomware attack on Dutch lab clinical diagnostic
NMDL exposed personal and medical data of about 485,000 women in the National Cervical Cancer
Screening Program. Stolen data includes names, addresses, medical test results, and historical
records, some of which are already for sale on the dark web. The lab waited nearly five weeks
to report the breach, far exceeding the EU's 72-hour rule. The delay prompted population screening
Netherlands to cut ties and move testing to other labs to maintain program operations.
Manpower, one of the world's largest staffing firms, is notifying over 144,000 people of a data breach
that occurred between December 29, 2024, and January 12th of this year. The breach was discovered
during an IT outage investigation in Lansing, Michigan, and attackers reportedly stole 500 gigabytes of data.
The Ransom Hub Ransomware Group claimed responsibility,
alleging theft of sensitive personal, corporate, and financial records,
including passport scans, social security numbers, contracts, and HR data.
Some data has since been removed from Ransom Hub's leak site,
suggesting a ransom payment.
Manpower says they've strengthened IT security,
that they're working with the FBI,
and that they're offering free credit monitoring through Equifax.
Ransom Hub, a rebranded ransomware as a service operation, has targeted numerous high-profile victims and breached over 200 U.S. critical infrastructure entities in recent years.
St. Paul, Minnesota confirmed the Interlock Ransomware gang was behind a July cyber attack that disrupted city systems,
prompting the governor to deploy the National Guard's cyber unit, while emergency services were unaffected, online payments, and some service,
services remain delayed. The city refused to pay ransom, but Interlock claims to have stolen 66,000
files and has leaked some online. Active since 2024, Interlock targets global organizations,
especially health care, and was recently linked to major breaches at Davita and Kettering Health.
Just 24 hours after OpenAI launched GPT-5 on August 7, Tenable Research says it
bypassed the model's new safe completions safety system and obtained detailed instructions for making
a Molotov cocktail. OpenAI had touted GBT5 as its most advanced model yet, with expert-level
skills, improved accuracy, and stronger safeguards against harmful use. Using a four-step
crescendo approach, Tenable posed as a history student, gradually steering the model toward providing
dangerous instructions. The incident raises concerns about GBT5 security, as other researchers have
also reported jail breaks and hallucinations. OpenAI says fixes are in progress, but Tenable
warns that organizations may already be exposed to risks if employees use the model without
safeguards. A cyber incident has taken the Pennsylvania Attorney General's office entirely offline,
disabling its website, email, and phone systems.
Attorney General Dave Sunday confirmed the outage,
which is preventing citizens from submitting tips or accessing resources.
Staff are continuing work and coordinating with supervisors to limit disruptions.
The nature of the attack and any potential data exposure remain undisclosed.
The office is working with law enforcement to investigate the incident
and restore full system functionality.
Dregos, in collaboration with Marsh McLennan's Cyber Risk Intelligence Center, has released
the 2025 OT Security Financial Risk Report. What they say is the first large-scale analysis
quantifying global financial exposure from operational technology cyber incidents.
The report highlights that indirect losses, such as business interruption, can account for
up to 70% of the total impact. In extreme but plausible one in 250-year scenarios,
global OT cyber risk exposure could reach $329.5 billion, with $172.4 billion tied specifically to
business interruptions. Drawing on over a decade of breach and insurance claim data, the study
identifies the top three OT cybersecurity controls linked to the greatest risk reductions.
incident response planning,
defensible architecture,
and ICS network visibility and monitoring.
It offers executives and ensures a data-informed framework
to prioritize risk mitigation and justify investment in OT security.
Finnish prosecutors have charged the captain and two senior officers
of the Russian-linked tanker Eagle S
with aggravated criminal mischief and interference with communications
for allegedly damaging five critical sub-sea cables in the Baltic Sea.
Authorities say the ship, part of Russia's shadow fleet,
dragged its anchor for 90 kilometers,
causing at least 60 million euros in repair costs
and risking Finland's energy and telecom infrastructure.
The suspects deny the charges, citing jurisdiction issues.
NATO has warned of increased sabotage threats in the Baltic region.
Coming up after the break, my conversation with Sean Duby from Sempros,
we're discussing the global state of ransomware,
and hackers take smart buses for a virtual joyride.
Stay with us.
I'm Ben Yellen, co-host of the caveat podcast.
Each Thursday, we sit down and talk about the biggest legal and policy developments affecting technology that are shaping our world.
Whether it be sitting down with experts or government officials or breaking down the latest political developments,
we talk about the stories that will have tangible impacts on businesses and people around the world.
If you are looking to stay informed on what is happening and how it could impact you,
make sure to listen to the caveat podcast.
Compliance regulations,
and customer security demands
are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient
than spreadsheets, screenshots, and all those manual processes,
you're right.
GRC can be so much easier
and it can strengthen your security posture
while actually driving revenue for your business
you know one of the things I really like about Vanta
is how it takes the heavy lifting out of your GRC program
their trust management platform automates those key areas
compliance internal and third-party risk and even customer trust
so you're not buried under spreadsheets and endless manual tasks
Vanta really streamlined
the way you gather and manage information across your entire business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters,
like strengthening your security posture and scaling your business.
Vanta, GRC.
Just imagine how much easier, trust.
can be. Visit vanta.com slash cyber to sign up today for a free demo. That's v-a-t-a-com
slash cyber.
Sean Duby is principal technologist at Sempris. In today's sponsored industry voices segment,
I catch up with him for the latest insights on the global state of ransomware.
Well, it's been a couple of years since we've done this.
And it was actually last year.
And it's always good to see where the trends are going because this is something that never stays still.
I think it's very important to see that.
And specifically, our report tends to focus on identity,
which has been getting more and more attention,
but has been previously underserved.
So it's always good to make sure that it gets the attention it deserves.
Well, let's dig in together.
What were some of the most significant findings here from your point of view?
Well, from my point of view and different people in the organization
have different takes on it,
there is a little bit of talk about the modest,
increase in ransomware success, but it's, to my mind, it's an almost statistical, statistically
insignificant. And it's, it's human nature to say, yay, we're winning and we're doing a good job.
But the reality is that easing off the throttle based on a modest trend in the direction
you want to see, it's a mistake. It's human nature, but it's a mistake. The underlying motivation
for cybercrime and nation-state espionage haven't gone away.
And one of the things, of course, that this is no surprise is that the tools, for example,
AI, they're making attacks both easier and they're making them more sophisticated.
So this means, among many things, is that it lowers the bar to success for other,
for organizations or threat actors.
So it is not as hard to do as it was to be successful.
Well, let's talk about that.
I mean, what are you all seeing here in your research
when it comes to AI-driven ransomware attacks?
Sometimes the details are hard to find,
and our study doesn't dive deep into the details,
but what we're hearing is reporting from these organizations
is that they are rapidly increasing in sophistication.
Are there any particular escalation tactics
that you all tracked in this year's report,
or anything new or innovative that you're seeing?
What we tend to see is the ability to do tried and true attacks.
So one of the principles that I always espouse here is if you're looking at,
in particular, cybercrime, the goal for cybercriminals is to make as much money as possible,
as quickly as possible, with as little interference as possible.
and so pretty much not everything but most of what happens you can trace back to those goals so with
those goals in mind they don't necessarily have to go for novel attacks what they'll do is
they'll find though because there's a you know essentially a universe of organizations out
there that are vulnerable and so what this does is this
makes the ability to generate those attacks and to execute those attacks faster.
So the dwell time decreases.
But the attacks themselves may be, again, I'm an identity person,
so I tend to focus on the identity aspects of it against identity systems such as
Active Directory and EntryD.
And many of the attacks are, when it comes right down to it, are using the same tactics.
they're just executed in a more automated manner or more quickly.
Why is identity infrastructure a top focus for these attackers?
Well, I've said for many years the mathematics for this is pretty simple.
If we focus specifically on the Microsoft Identity System,
that is that what has become recognized as number one,
that identity is the core of security nowadays.
The NIST Zero Trust Framework says that,
and many other frameworks say that.
Number two, it is highly vulnerable.
And the threat actors know that.
So they go after identity.
Jen Easterly had a great statement a few months ago at a conference.
She said, identity isn't a security problem.
Identity is the security problem.
And of course, Jan Easterly is the former director of SISA.
So we have everybody has, everybody depends on identity.
Security is centered around identity.
The bad guys know this, and they attack identity.
And the identity systems that everybody uses, the Microsoft identity systems,
the on-prem is old, it's a quarter of a century old,
and it has lots of vulnerabilities for many, many reasons.
but it's a highly vulnerable environment.
So if you take that and you plug that into the goals of making as much money as possible as as quickly as possible.
And the traction that it gives threat actors once they've compromised that identity environment,
it's logical.
And what we've seen and what Mandi and Microsoft incident response has stated is that the vast majority,
95% of organizations that have been attacked,
the identity system is a core component of what is attacked and what is owned
for the threat actors to then do whatever they have in mind,
whether it's encrypting the environment or whether it's exfiltrating data
or whatever method that they're using to get revenue out of the victims.
Well, what sort of gaps did the study reveal?
when we're talking about how organizations handle both identity, resilience, and recovery.
One of the statistics that really stood out for me was the gap between industries of paying ransom.
What industry vertical, who paid more ransom and who paid less ransom?
So the highest percentage of paying ransom industry was the energy industry.
And the lowest was health care.
So if you had to read between the lines,
and this is my speculation,
is this might be reflecting the speed
at which these two industries,
which are both critical infrastructure,
the speed at which they're making progress
in building resilience in their organizations,
we are going through this evolution
at an uncomfortably quick pace
I believe, but that's the reality of it.
What I say in for both security and for IT professionals of, let's start with, oh,
people are being attacked by threat actors by cybercrime.
That hasn't happened before.
Oh, that won't happen to us.
And then you're seeing as an organization, you see it happen all around you.
And you start to human nature go, oh, well, I think we're probably okay.
And you see that organizations that you know, you know people in the organizations that may be equal or better than you in cybersecurity being attacked.
And so then you go, oh, gosh, I guess we really have to face the fact that we may be attacked.
And so you really, you know, you build out your crisis management for cyber that, you know, many organizations have never had before.
And you're still just getting your feet wet on how to do that.
And now we're talking about resilience, as in, guess what?
You're going to be attacked.
You're going to have to work on resilience.
I feel that there is this great stress of organizations having to adapt to this philosophy culturally.
And again, as we know, this is about people process and technology.
It's not just technology.
It's how does a culture adapt to this?
So going back to your question about the significant finding.
So what this says to me, when I hear about energy sector versus the health care sector,
you could speculate that on one side the energy sector,
it doesn't just represent the big oil and gas companies,
but also the small municipal agencies that are generally highly vulnerable to cybercrime.
They don't have the capabilities.
They don't have the big security teams.
They have old infrastructure that was not designed for security on one side.
And so they're having to pay more ransom because they're more thoroughly compromised.
But on the other side, and is healthcare, they know that servicing interruption could mean harm or even death to their patients.
So they're very focused on resilience in the face of attack.
And in my conversations with healthcare security professionals, that is absolutely the case.
So the more resilient you are, the less likely you are to pay a ransom to get your service back.
So in light of everything in the report here, what are your recommendations?
What should organizations be doing to better prepare themselves here?
Well, as a former technology journalist, I recognize what makes the press is what gets clicks.
and it's always interesting
and drives traffic
to report about new and novel attacks.
And so I often get the question
how do I deal with the most
newest and the most novel attacks?
And the reality is,
I call it, I summarize it down to eat your vegetables
which is go back and look at your security,
look at your basic security principles,
and how well are you executing those basic security principles?
What does your attack surface look like?
As I said, I'm an identity guy.
And the attack surface for your hybrid identity systems,
Active Directory on premises and Enter ID in the cloud,
or perhaps it's Octa in the cloud or Ping 1 in the cloud,
look at your attack surface.
and how do you minimize your attack surface?
As you can't be perfect on it,
and it's very difficult to do that.
But as Rachel Wilson, who is a risk manager now for,
a risk director for, it's not J.P. Morgan Chase,
I'm sorry, I'm spacing this out.
It's the other big Morgan Stanley in New York,
but she used to be the NSA's cyber offense director.
And her way of stating it is,
don't be the slowest gazelle in the herd.
So you may not be able to make your security perfect,
but if you can make it a sufficient bar
to make it harder to increase the time to revenue
for a cyber crime,
then you have,
you have helped yourself because if it takes too long, then it's simple enough to buy another
set of credentials and go to the next organization. So it so often goes back down to basics. There's
all sorts of advanced things that you can do, but I'm always about preaching the basics.
And for example, our free utilities like Purple Knight and Forest Druid are designed to help
you minimize your attack surface and make you less of a target or make you a harder target.
That's Sean Dubey, principal technologist at Sempress.
And finally, at Defecon. And finally, at Defcom.
researchers Chow Lin Yu and Kai Xing Wang revealed that Taiwan's smart buses are perhaps a bit too smart for their own good.
The trouble began innocently enough with free passenger Wi-Fi,
only to discover the same router also controlled the bus's driver assistance and transport management systems.
With no network segmentation and default passwords that might as well have been password one, two, three,
The pair waltzed in digitally, uncovering command injections, MQTT backdoors, and zero encryption.
From there, a hacker could track buses, spy via onboard cameras, falsify GPS data, or even flash out-of-service signs mid-rout.
Vendors contacted politely, apparently preferred the Ignore and Hope patching strategy.
The vulnerabilities, you noted, may not be confined to Taiwan.
bad news for any smart bus with global ambitions.
And that's the Cyberwire, for links to all of today's stories,
check out our daily briefing at the Cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of August.
There is a link in the show notes.
Please do check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibn.
Peter Kilpe is our publisher.
I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
You know,