The Weekly Round-Up: Apr. 25th, 2025

As threat actors continue to demonstrate evolving capabilities and persistence, organizations face escalating cybersecurity challenges across multiple sectors. This week's developments highlight how nation-state actors maintain prolonged access to critical infrastructure, major retailers experience disruptive breaches, and utility providers struggle to contain customer data exposure. The technical sophistication displayed in these incidents underscores the importance of robust security measures, from proper email authentication to comprehensive network monitoring.

Here are some events you need to know about:

1. Iranian State-Sponsored Group Maintains Two-Year Access to Middle East Critical Infrastructure

Summary:

Fortinet has attributed a nearly two-year-long cyber intrusion targeting critical national infrastructure (CNI) in the Middle East to an Iranian state-sponsored threat group known as Lemon Sandstorm (also tracked as Parisite, Pioneer Kitten, and UNC757). The operation, which lasted from May 2023 to February 2025, involved extensive espionage and network prepositioning tactics designed to maintain persistent access for future strategic advantage.

Timeline:

May 2023 - February 2025

Threat Actors:

Lemon Sandstorm (Iranian state-sponsored group)

Key Implications:

• Sophisticated threat actors can maintain undetected access to critical infrastructure for extended periods
• Operational technology (OT) networks remain high-priority targets for nation-state actors
• Attackers demonstrate increasing resilience by deploying multiple backdoors and adapting tactics when detected
• State-sponsored groups continue to leverage both custom and open-source tools to avoid attribution

Actionable Advice:

• Implement comprehensive network segmentation between IT and OT environments
• Deploy enhanced monitoring for lateral movement indicators, especially in virtualization infrastructure
• Enforce multi-factor authentication for all remote access pathways, including VPNs
• Develop and regularly test incident response procedures for persistent threats
• Monitor for unusual work patterns that may indicate hands-on-keyboard operations

2. RSAC 2025 Highlights AI Security Challenges and Nation-State Threats

Summary:

The 34th annual RSA Conference (RSAC) concluded with cybersecurity professionals discussing strategies to protect networks against increasingly sophisticated threats. The event, attended by approximately 44,000 participants, focused heavily on artificial intelligence security challenges and emerging nation-state threats, particularly from China and North Korea.

Timeline:

Late April/Early May 2025

Threat Actors:

China and North Korea highlighted as primary nation-state threats

Key Implications:

• AI dominates cybersecurity discussions, with focus shifting to both "AI for security" and "security for AI"
• Chinese threat actors increasingly leverage AI to enhance all phases of their attack chain
• North Korean IT workers continue targeting Fortune 500 companies, creating significant insider threats
• Identity security remains foundational despite technological shifts in the threat landscape
• Public-private sector collaboration faces uncertainty amid governmental changes

Actionable Advice:

• Develop specialized security capabilities for AI systems separate from general-purpose security tools
• Implement enhanced background screening procedures to detect potential North Korean IT workers
• Maintain identity-focused security controls as the foundation of defense strategies
• Prepare contingency plans for potential reductions in government cybersecurity support
• Evaluate AI security from both defensive and offensive perspectives

3. North Korean Actors Exploit Weak DMARC Policies in Spearphishing Campaigns

Summary:

The FBI, U.S. Department of State, and NSA have jointly issued an advisory warning that North Korean Kimsuky cyber actors are exploiting improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to mask social engineering attempts. Without proper DMARC configuration, these actors can send spoofed emails appearing to originate from legitimate domains, targeting individuals with knowledge of policy information related to North Korea and East Asian affairs.

Timeline:

Advisory released May 2, 2024; Ongoing campaign

Threat Actors:

Kimsuky (North Korean state-sponsored group)

Key Implications:

• Email authentication vulnerabilities continue to enable sophisticated spearphishing campaigns
• Nation-state actors target experts in policy, academia, and media for intelligence collection
• Weak DMARC policies with "p=none" settings leave organizations vulnerable to domain spoofing
• Social engineering techniques becoming increasingly refined with better context and legitimacy

Actionable Advice:

• Update organizational DMARC policies to "p=quarantine" or "p=reject" configurations
• Implement additional DMARC policy fields such as "rua" for aggregate reporting
• Train staff to recognize red flags such as subtle domain misspellings and grammatical errors
• Verify unexpected communications through separate channels before responding
• Report suspected North Korean spearphishing to the FBI through IC3.gov using #KimsukyCSA

4. Nova Scotia Power Data Breach Impacts Customer Information

Summary:

Nova Scotia Power has confirmed a cybersecurity incident involving unauthorized access to certain customer personal information. The breach, detected on April 25, 2025, prompted the utility to activate its incident response plan, engage external cybersecurity experts, and notify law enforcement. While the investigation continues, the company has established that customer data was accessed and exfiltrated by unauthorized third parties.

Timeline:

Detected April 25, 2025; Disclosed April 28, 2025

Threat Actors:

Currently unidentified

Key Implications:

• Utilities continue to face targeted attacks against customer information systems
• Timely detection and response capabilities are critical for containing breach impact
• Separation between IT and OT systems prevented operational disruption
• Transparent communication with customers helps maintain trust during incidents

Actionable Advice:

• Maintain strict separation between business IT systems and operational technology environments
• Develop comprehensive incident response procedures with clear external communication plans
• Implement enhanced monitoring for unauthorized access to customer information systems
• Establish dedicated communication channels for affected customers
• Regularly test backup and recovery procedures to ensure business continuity

5. UK Retailers Face Wave of Cyber Attacks as Harrods Becomes Latest Target

Summary:

Luxury department store Harrods has become the third major UK retailer to fall victim to a cyber attack in a two-week period, following incidents at Marks & Spencer and the Co-op Group. Harrods detected unauthorized access attempts to their systems and immediately took protective measures, including restricting internet access at their locations. While their Knightsbridge flagship store, H beauty stores, and airport locations remain operational, the incident highlights a troubling trend of digital threats targeting the retail sector.

Timeline:

Attack disclosed May 1, 2025; Part of a series of retail attacks beginning mid-April 2025

Threat Actors:

Not publicly identified

Key Implications:

• Retail sector experiencing concentrated targeting, suggesting possible coordinated campaign
• Cybersecurity incidents increasingly impact physical store operations
• Even luxury brands with substantial security resources remain vulnerable
• UK National Cyber Security Centre warning of potential widespread implications

Actionable Advice:

• Retail organizations should review security measures and incident response plans
• Implement network segmentation between customer-facing and back-office systems
• Enhance monitoring for unauthorized access attempts across all environments
• Develop contingency plans for operating physical locations during IT disruptions
• Collaborate with industry peers to share threat intelligence on retail-specific attacks

6. Hertz Data Breach Linked to CL0P Ransomware Supply Chain Attack

Summary:

The Hertz Corporation is notifying customers of its Hertz, Dollar, and Thrifty brands about a data breach exposing personal information, including names, contact details, driver's licenses, and in rare cases, Social Security Numbers. The breach resulted from a ransomware attack by the CL0P gang that exploited zero-day vulnerabilities in Cleo file sharing products used by Hertz's vendors. This incident is part of a larger campaign by CL0P targeting managed file transfer solutions.

Timeline:

Attack occurred October-December 2024; Confirmed February 10, 2025; Notifications issued April 2025

Threat Actors:

CL0P ransomware gang

Key Implications:

• Supply chain vulnerabilities continue to provide attack pathways into major enterprises
• File transfer applications remain prime targets for sophisticated threat actors
• Extended timeline between breach discovery and customer notification increases risk
• Adversaries increasingly target third-party data exchange mechanisms

Actionable Advice:

• Conduct thorough security assessments of all file transfer applications in your environment
• Implement strict access controls and monitoring for data exchange systems
• Develop vendor security requirements focused on prompt vulnerability remediation
• Deploy data loss prevention technologies to detect unauthorized data exfiltration
• Establish breach notification procedures that prioritize timely customer communication

7. Ahold Delhaize Confirms Data Theft in Major Ransomware Breach

Summary:

Ahold Delhaize, one of the world's largest food retail groups operating approximately 7,910 stores globally, has confirmed that sensitive data from its US business was stolen during a November 2024 cyberattack. The confirmation came after the threat actor responsible, INC Ransom, added the company to its data leak website and shared sample documents allegedly stolen during the attack. The company disclosed that files were taken from its internal US business systems, forcing it to shut down parts of its IT infrastructure.

Timeline:

Attack occurred November 2024; Public confirmation April 2025

Threat Actors:

INC Ransom

Key Implications:

• Food retail sector increasingly targeted by sophisticated ransomware operations
• Extended timeframes between attack and public disclosure complicate response
• Critical retail infrastructure faces growing threats to supply chain continuity
• Double extortion tactics (encryption plus data theft) remain effective against large enterprises

Actionable Advice:

• Implement robust network segmentation to contain potential breaches
• Develop comprehensive incident response plans specific to ransomware scenarios
• Establish secure backup procedures resistant to ransomware corruption
• Deploy advanced endpoint protection with behavioral analysis capabilities
• Create communication plans for addressing public disclosure of breaches

8. X Platform Faces Massive User Data Leak Affecting 200 Million Accounts

Summary:

A self-described data enthusiast called ThinkingOne claims to have released a database containing approximately 200 million X (formerly Twitter) user records. The data appears to originate from a vulnerability first discovered in January 2022 that allowed attackers to access user information via email addresses or telephone numbers. The released dataset reportedly includes X screen names, user IDs, full names, locations, email addresses, follower counts, and profile data. More concerning, ThinkingOne claims this is part of a much larger breach involving 2.8 billion unique Twitter IDs and screen names leaked in January 2025.

Timeline:

Initial vulnerability exploited 2022; New data release April 1, 2025

Threat Actors:

ThinkingOne (identity and motives unclear)

Key Implications:

• Historical vulnerabilities continue to impact users years after initial discovery
• The potential scope (2.8 billion records) would represent an unprecedented breach
• User information exposure creates downstream risks for targeted phishing attacks
• Public figures with verified accounts face heightened security and privacy concerns

Actionable Advice:

• Enable multi-factor authentication on all social media accounts
• Review and restrict personal information shared in public profiles
• Monitor accounts for unusual activity and unauthorized access attempts
• Be vigilant for targeted phishing attempts using accurate personal details
• Consider using unique email addresses for different social platforms