At a glance.
- New Russian cyberespionage actor targets NATO countries.
- ConnectWise investigates suspected nation-state hack.
- SentinelOne restores service following major outage.
- Australian law requires ransomware victims to report payments.
- Czech Republic accuses China of attempted hacks.
- Iranian pleads guilty to participation in Baltimore ransomware attack.
- Estonia issues arrest warrant for suspect in massive pharmacy breach.
New Russian cyberespionage actor targets NATO countries.
Dutch intelligence agencies have attributed several hacks to a previously unknown Russian threat actor dubbed "Laundry Bear," the Record reports. The agencies note that the group's modus operandi overlaps with that of Fancy Bear (APT28), but they consider the two groups to be distinct. The Netherlands' Ministry of Defence says Laundry Bear was responsible for several hacks on Dutch organizations in September 2024, including a major data breach affecting the Dutch national police. The Ministry says the threat actor has "a specific interest in armed forces, governments, defense (sub) suppliers, social organizations, and IT and digital service providers. Laundry Bear has also conducted cyberespionage attacks against companies that produce high-end technologies, which Russia has difficulty accessing due to current Western sanctions."
Microsoft published its own report on the threat actor, which the company tracks as "Void Blizzard." Microsoft says the group is likely conducting cyberespionage to further Russian strategic objectives, conducting "opportunistic yet targeted high-volume cyberoperations against targets of intelligence value to the Russian government." The researchers add, "Their operations predominately leverage unsophisticated techniques for initial access such as password spray and using stolen authentication credentials. Microsoft assesses that Void Blizzard procures cookies and other credentials through criminal ecosystems. These credentials are then used to gain access to Exchange and sometimes SharePoint Online for information collection."
ConnectWise investigates suspected nation-state hack.
IT management software provider ConnectWise has disclosed "suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers." ScreenConnect is a popular remote management and access tool. The company has retained Mandiant to investigate and is working with law enforcement.
BleepingComputer cites ScreenConnect customers as saying the incident is linked to a high-severity code injection vulnerability (CVE-2025-3935) that was patched on April 24th. ConnectWise hasn't confirmed these details, but stated, "As part of our work with Mandiant, we patched ScreenConnect and implemented enhanced monitoring and hardening measures across our environment."
SentinelOne restores service following major outage.
Security firm SentinelOne sustained a widespread outage on Thursday that prevented customers from accessing their consoles used to monitor threats. BankInfoSecurity says the outage affected all of SentinelOne's products, including its endpoint, XDR, cloud security, identity, data lake, threat intelligence and vulnerability management services. The security products continued working in the background, but managed response services did have visibility into threat data reporting for several hours. The company restored service yesterday afternoon. SentinelOne is investigating the issue, but does not believe it was caused by an attack.
Australian law requires ransomware victims to report payments.
Australia has enacted a law requiring certain companies to report ransomware payments to the Australian Signals Directorate (ASD) within seventy-two hours, the Record reports. The law applies to companies with an annual turnover greater than AU$3 million (around 6.5% of all registered businesses in Australia), as well as some smaller entities in critical infrastructure sectors.
The legislation, which is part of Australia's Cyber Security Act 2024, went into effect yesterday, but the Department of Home Affairs says it will take an "education-first approach" until the end of the year: "During this phase, the Department would aim to pursue regulatory action only in cases of egregious non-compliance against businesses that report on incidents, to not take capacity away from impacted entities during the initial incident response phase."
Czech Republic accuses China of attempted hacks.
The Czech Republic has attributed a cyberespionage campaign targeting its Ministry of Foreign Affairs to China's APT31, the Record reports. The Czech government stated, "Following the national attribution process, the Government of the Czech Republic has identified the People´s Republic of China as being responsible for malicious cyber campaign targeting one of the unclassified networks of the Czech Ministry of Foreign Affairs. The malicious activity, which lasted from 2022 and affected an institution designated as Czech critical infrastructure, was perpetrated by the cyberespionage actor APT31 that is publicly associated with the Ministry of State Security."
The country's foreign affairs minister Jan Lipavsky has summoned the Chinese ambassador to communicate that "such hostile activities have a damaging impact on our bilateral relations."
Iranian pleads guilty to participation in Baltimore ransomware attack.
A 37-year-old Iranian national, Sina Gholinejad, has pleaded guilty to using the Robbinhood ransomware to target US cities, including launching a 2019 attack against Baltimore that cost the city more than $19 million. The Justice Department says Gholinejad and his co-conspirators were also responsible for an attack on Greenville, North Carolina.
Gholinejad was detained in North Carolina earlier this year. He's facing a maximum penalty of 30 years in prison, with a sentencing scheduled in August.
Estonia issues arrest warrant for suspect in massive pharmacy breach.
Estonian authorities have issued an international arrest warrant for a Moroccan national accused of hacking a customer card database belonging to Allium UPI, a major provider of pharmacy and healthcare products across the Baltic countries, the Record reports. The breach, which occurred in February 2024, exposed nearly 700,000 personal identification codes used by pharmacy customers, revealing pharmacy purchases linked to customer accounts. The incident affected data belonging to almost half of the Estonian population.
Estonia's Central Criminal Police (Keskkriminaalpolitsei) alleges that 25-year-old Adrar Khalid gained access to the database using a stolen password for an administrator account.
