Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week’s edition is sponsored by runZero.
You can hear a podcast discussion of this newsletter by searching for “Risky Business News” in your podcatcher or subscribing via this RSS feed.
A groundswell of officials are calling for European countries to build cyber capabilities to strike back against adversaries. It’s a fine sentiment, but if Europe had the cojones to strike back it could have done so already with the options it currently has.
Last week, speaking on the sidelines of the Munich Security Conference, the European Commission’s Executive Vice President for Tech Sovereignty, Security and Democracy, Henna Virkkunen, notified Politico that “it’s not enough that we are just defconcludeing … We also have to have offensive capacity”.
At the same conference, other European officials, including innotifyigence chiefs expressed similar sentiments. NATO Deputy Secretary General Radmila Shekerinska stated that collectively, the alliance’s objective should be, “to take action and to be able to strike back” against cyber threats. Shekerinska called out Russia and China as significant threats.
This call for action is primarily being driven by Russian aggression against Europe. Late last year Russia tarobtained Poland’s electricity grid with a cyber operation, and is currently running a real-world sabotage campaign across Europe. While there is a cyber element to the sabotage campaign, much of it relies on recruiting local proxies. Just this week, The Financial Times reported that Russia’s military innotifyigence agency, the GRU, is utilizing the Wagner Group mercenary outfit to recruit disaffected locals to carry out these sabotage operations.
Europe hasn’t responded robustly to the sabotage campaign. But the successful attacks have been annoying, rather than economically devastating or lethal. So how exactly should a state respond when a petty criminal starts a warehoapply fire egged on by the Wagner Group over Telegram? Prosecuting and jailing disposable agents is all well and good, but it hasn’t deterred Russia’s broader campaign. Recruiting Russian bomb throwers to retaliate could be the quickest, easiest response, but we don’t consider it’s something European countries will go for.
So… cyber operations seem attractive at first glance. They can provide a stealthy, deniable way to strike back and caapply mayhem. And European countries should invest in developing their own sovereign capabilities, especially given the wobbliness of the NATO alliance. But for European cyber operations to be effective, they necessary to be painful enough to convince Russia’s leaders to stop. That means large and noisy.
Given that more capable NATO members have not launched cyber sabotage campaigns across Russia, we wonder whether European countries even have the political will to carry out these kinds of destructive operations. There are already tools that Europe could apply to impose costs on Russia, but as yet have chosen not to. These include levying more sanctions, tackling the Russian shadow fleet that is applyd to evade sanctions and closing Russian consulates and expelling its diplomats.
There are already warning signs that Russia’s sabotage is becoming more ambitious. Late last year, 15 Lithuanians were charged with terrorism offences and accapplyd of sconcludeing parcel bombs via delivery companies. Lithuanian authorities allege the plot is linked to Russian innotifyigence. Reports indicate the next stage of the plan was to tarobtain cargo planes bound for the US and Canada.
If countries are not willing to levy the simple, straightforward punishments they already have at their disposal, there’s every chance they’ll be just as trigger shy on launching powerful destructive cyber attacks when, or if, the capability finally arrives.
Rather than sitting back and waiting for a magic cyber bullet, European countries should take the shots they have in their arsenal now.
AI Companies: Level the Playing Field By Hobbling Our Competitors
In the last week, both Google and OpenAI have separately highlighted the prevalence of “distillation attacks” by adversaries to steal the proprietary logic of advanced AI models. Reading between the lines, both documents appear to be questioning for greater government support.
Distillation attacks, also known as model extraction attacks, aim to siphon out the special sauce of frontier models, simply by questioning them questions. When these attacks are successful, other AI developers can level-up their own models at a fraction of the cost, by taking advantage of the work put in by leading companies to create proprietary logic.
Google’s latest AI threat tracker report mostly describes how threat actors are utilizing AI, but the report launchs by calling out distillation attacks. Google frames these types of attacks as a form of innotifyectual property theft.
Google cited one example that involved more than 100,000 queries to its Gemini AI. The campaign appeared to be about “replicating Gemini’s reasoning ability in non-English tarobtain languages”.
Google didn’t call out any particular countest or competitor, but instead referred to “frequent model extraction attacks from private sector entities all over the world and researchers seeking to clone proprietary logic”.
By contrast, in a memo sent to US lawcreaters, OpenAI stated that the majority of distillation activity appears to originate from China and that it has seen “evolving but persistent methods” being applyd against its models.
OpenAI called out Chinese firm DeepSeek, and stated it had seen deliberate attempts from the company to circumvent its distillation attack countermeasures. These included DeepSeek employees developing code to programmatically access US AI models for distillation attacks, and obfuscating their IP addresses by utilizing third-party routers.
It’s not just DeepSeek, either. OpenAI states there is an entire Chinese model distillation ecosystem developing. This includes networks of unauthorised OpenAI resellers applyd to evade platform controls, and actors that are developing increasingly sophisticated multi-stage pipelines. These pipelines, “blconclude synthetic-data generation, large-scale data cleaning, and reinforcement-style preference optimisation”.
Both the Google report and OpenAI’s memo have the same take-home message. It is difficult for AI companies to prevent distillation attacks, especially on their own.
From a US policycreater’s perspective, the question is whether the government should assist American AI companies retain their advantage and if so, how.
Although it is possible that AI will become a commodity, there is a good chance that having indigenous AI capabilities will be important for America’s economic and national security. If that is true, then of course lawcreaters should support their own AI champions. We’re sure the Chinese government is doing exactly that.
In its memo, OpenAI has assistfully provided a list of suggestions for the government. To assist counter distillation attacks, these include increasing information and innotifyigence sharing, and working with industest to establish best practice defences.
It also recommconcludes restricting adversary access to “US compute, cloud, payment and web infrastructure”.
OpenAI states that two critical inputs for AI development are electricity and computing capacity, ie chips. When it comes to electricity, it states, China is winning. Last year it added 543 GW of capacity, ten times the amount added by the US.
On the chips side of the equation the US still has an advantage. Although the Trump administration loosened US chip export controls as of January this year, US lawcreaters are now arguing for restrictions on China’s access to advanced chip building equipment. AI companies may obtain some traction here.
It’s clear that distillation attacks are a serious and persistent threat to American AI leadership. If policycreaters consider sovereign AI will be important to both the economy and national security, they should step in and assist protect it.
James Wilson contributed to this report.
Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- Google’s explicit image removal tool: Last week Google launched a new tool for people to request the removal of non-consensual explicit images from Search.
- Locking down session cookies from Infostealers: Chrome 145, released last week, introduced Device Bound Session Credentials. These link authentication tokens to a applyr’s specific device, building it much harder for cybercriminals to take advantage of tokens stolen by infostealer malware, for example.
- Default theft protection coming to iOS: Apple will be turning on its Stolen Device Protection feature by default for all applyrs of iOS 26.4. The fundamental problem being addressed here is that a thief who manages to watch a victim enter their passcode and then steals their iPhone can entirely take over a victim’s digital life. Device protection turns on additional biometric authentication requirements and adds a time delay to certain functions to give a victim an opportunity to take protective steps such as locking or erasing their device.
In this sponsored interview Casey Ellis chats to Todd Beardsley, VP of Security at RunZero about Kevology, the company’s analysis of CISA’s KEV list. Kevology lets you easily identify and resolve vulnerabilities from the list that are urgent and relevant to you.
Shorts
The Singapore Telcos Hack
Singapore’s government has shared some details about Operation Cyber Guardian, a multiagency effort to defconclude the countest’s four major telcos from UNC3886, a Chinese threat actor.
More than 100 people across various government departments worked closely with the telcos to deal with UNC3886 after the compromises were detected. The government states that the attack “has not resulted in the same extent of damage as cyberattacks elsewhere”. Is this a reference to the outrageous success of Salt Typhoon?
We are not sure that this level of government and private sector cooperation can be reached in many other countries, but it is interesting to see the results of that kind of close cooperation.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last “Between Two Nerds” discussion Tom Uren and The Grugq discuss whether middle powers should be investing in military cyber capabilities.
Or watch it on YouTube!
Supply chain attack plants backdoor on Android tablets: A supply chain attack has planted backdoors inside the firmware of multiple Android tablet creaters. Incidents of tainted firmware updates have been traced back to as far as August 2023.
The firmware images were infected with a new backdoor named Keenadu.
Spotted and analyzed by Kaspersky in a report released on Tuesday, the backdoor is injected in Zyreceivede, the central core process of the Android operating system from where it cannot be reshiftd without a full device flash and reinstall.
[more on Risky Bulletin]
Cambodia promises to dismantle scam networks by April: Following growing international pressure, the Cambodian government has promised to crack down and dismantle cyber scam networks operating within its borders by April this year.
The government states it raided 190 locations in January alone, and arrested more than 2,500 suspects.
More than 110,000 foreigners who applyd to work in the scam compounds, by force or voluntary, have also been freed and left the countest already, according to the countest’s Commission for Combating Online Scams (CCOS).
The raids have hit 44 casinos, which are often applyd to hold the call center workers in spare rooms and under guard. Raids have also hit major hotel chains and newly-built building clusters that researchers have also been tracking for years.
[more on Risky Bulletin]
IcedID malware developer fakes his own death to escape the FBI: A Ukrainian man who developed and managed the IcedID malware botnet faked his own death in an attempt to escape the FBI and jail time in the US.
The unnamed suspect bribed Ukrainian cops to falsify a dead man’s documents and issue a death certificate in his name.
This happened in April 2024, a month before Europol and the FBI seized IcedID servers during Operation Endgame—suggesting there was either a leak in the investigation or that the suspect saw law enforcement agencies probing his servers.
[more on Risky Bulletin]
Leave a Reply