7 March 2025

5 min read

Mixed messages over US government order to halt Russian cyber operations | Cyber Intelligence Briefing: March 7, 2025

March 2025
light along a digital, microchip-like, landscape
Mixed messages over US government order to halt Russian cyber operations | Cyber Intelligence Briefing: March 7, 2025
4:11

Top news stories this week

  1. Stop the press. US government denies reports of halting cyber operations against Russian targets.
  2. Patch now. Threat actors are actively exploiting VMware, Cisco, and Microsoft vulnerabilities.
  3. You've got mail. BianLian impersonator sends out ransom notes via physical post.
  4. Health attacks. Qilin ransomware group targets cancer clinic in Japan and women's healthcare facility in Kansas City.
  5. Starstruck. The Polish Space Agency (POLSA) suffers ongoing cyber security threats.
  6. Law and order. US sanctions Iranian dark web marketplace administrator and Garantex takedown.

1. Mixed messages over US government order to halt Russian cyber operations

The US Department of Defense has denied reports that the government has halted cyber operations against Russian targets after several media reports, including The New York Times, claimed Defence Secretary Pete Hegseth had ordered the US Cyber Command to do so. CISA also denied that it had changed its posture towards Russia after reports claimed agency staff were verbally instructed not to monitor or report on threats from the country.

So what?

The mixed messaging underscores the uncertainty in the US's broader cyber strategy towards Russia, which has been described as one of the country’s largest cyber threats. 

[Researcher: Waithera Junghae]

Cyber Incident Insights Report


2. Threat actors are actively exploiting VMware, Cisco, and Microsoft vulnerabilities

Several vulnerabilities in VMware, Cisco, and Microsoft systems are being exploited by criminals. The VMWare vulnerabilities are high severity, as they could enable the attackers with local administrator privileges to escape a guest virtual machine and gain full control of the hypervisor and host system.

So what?

Organizations should prioritise patching their systems according to their criticality to reduce the risk of ransomware attacks. Compensating controls should be in place for legacy systems until they can be decommissioned.

[Researcher: Milda Petraityte]


3. BianLian impersonator sends out extortion messages via physical mail

Various corporate executives have received letters claiming to be from the well-known ransomware group BianLian. The messages were delivered via physical mail, which is highly unusual for a cyber attack, and demanded payment by bitcoin. Researchers have identified that the listed bitcoin wallets were recently created and no link could have been found to known BianLian infrastructure.

So what?

It is vital to receive proof of possession if engaging with threat actors to confirm the veracity of their claims. For a more in-depth look into this campaign, see S-RM’s cyber threat advisory.

[Researcher: Lena Krummeich]


4. Qilin ransomware group targets cancer clinic in Japan and women's healthcare facility in Kansas City

The Qilin ransomware group has claimed responsibility for cyber attacks on Japan’s cancer clinic Utsunomiya Central Clinic and Rockhill Women's Care in Kansas City, resulting in the disruption of medical services and the theft of sensitive patient and staff data. Qilin is a ransomware group known for targeting healthcare organizations and has previously stated they have “no regrets” over the damage caused in such attacks.

SO WHAT? 

Critical healthcare facilities should ensure they appropriately safeguard sensitive data and have well rehearsed incident response plans.

[Researcher: Denisa Greconici]


5. The Polish Space Agency (POLSA) suffers ongoing cybersecurity threats

The Polish Space Agency (POLSA) suffered a cyber attack recently, forcing it to disconnect from the internet as a containment measure. The nature of the attack at this stage is unconfirmed. Poland, often targeted by Russian cyber attacks over its support for Ukraine, plans to increase its cybersecurity spending to USD 760 million.

So What?

Proactive containment measures such as disconnecting systems from the internet are an important step for containing and recovering from cybersecurity incidents.

[Researcher: Blanche MacArthur]


6. US sanctions Nemesis dark web market operator and Garantex takedown

The US has sanctioned Iranian national Behrouz Parsarad for operating the defunct Nemesis dark web marketplace. The sanctions include 49 blockchain addresses used to store and launder money. Separately, the website of cryptocurrency exchange Garantex was taken down following an apparent seizure by US and European law enforcement.

SO WHAT? 

Law enforcement agencies have made strong progress in tackling dark web marketplaces and exchanges. Unfortunately, the demand for illegal services continues to drive the establishment of new sites.

[Researcher: Jon Seland]

 

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Editors

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.