Seriously Risky Business

06 Nov 2025 — 9 min read

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It’s supported by Lawfare with help from the William and Flora Hewlett Foundation. This week’s edition is sponsored by Sublime Security.

You can hear a podcast discussion of this newsletter by searching for “Risky Business News” in your podcatcher or subscribing via this RSS feed.

Photo byRyan Kosmides onUnsplash

Disruptive US cyber operations against Venezuela during President Trump’s first term achieved their operational goals, according to new reporting from CNN. But they failed to meet the president’s broader goal of ousting Venezuelan leader Nicolás Maduro

Sources told *CNN *that during Trump’s first term a CIA operation to disable the computer network of Maduro’s intelligence service was perfectly successful. A separate Cyber Command operation interrupted the satellite communications of Wagner Group mercenaries who were sent to Venezuela to protect Maduro.

This adds to previous reporting from Wired late last year that revealed the CIA had temporarily disrupted the Venezuelan military’s payroll system in the same campaign.

It’s not surprising that these operations achieved their specific objectives. When it comes to cyber power the United States is an Orca and Venezuela is a sardine.

What seems to have been missing, though, was a realistic “theory of victory” spelling out how a disruptive cyber campaign would actually contribute to toppling Maduro’s regime. Per CNN:

The hope was that aggressive covert action could cause enough discomfort and create sufficient disturbances that the military, which has played a critical role in keeping Maduro in power, would be convinced to switch sides and support the opposition, said the former White House official.

Of course, as the official continued, “hope is not a plan”.

The most effective of the operations did appear to be the military pay disruption. A former national security official told Wired “There was a fair amount of grumbling about not getting paid”.

“Armies march on their stomach”, the official said.

It’s worth putting that disruption in context, though. Another former official said Venezuela was a humanitarian disaster at that time and that, “the average person has lost 25 pounds [and] they have no food, they have no electricity, they have no jobs, they have no medicine.”

Given that Maduro’s domestic opposition wasn’t organised enough to take advantage of that disastrous situation, it feels outrageously optimistic to have expected a short-term payroll hiccup to make much difference.

In the short term, these operations satisfied President Trump’s desire to “do something” to Maduro without running the risk of getting the US involved in yet another boots-on-the-ground quagmire. Cyber operations are a low-risk, non-kinetic option.

We’re not experts in Venezuelan politics, but if the fundamental problem is “I don’t like a country’s leadership”, cyber operations are unlikely to be a complete solution. We can’t think of a single hack or cyber campaign that would undo the US Presidency, for example.

It appears that President Trump spent his four years of downtime internalising this lesson. This time around, the “do something” about Maduro involves an aircraft carrier and military strikes.

USA’s Leaky Adtech Is Everyone’s Problem

Out-of-control adtech isn’t just a problem for American national security interests, it’s a risk to any country enmeshed in the US digital advertising ecosystem.

We’ve written many times about how the unconstrained collection, collation and sale of geolocation data in particular is a national security risk for the United States. In one striking example, a Catholic substack publication identified a priest as a Grindr user through notionally anonymised app data supplied to it by a third party. In another example researchers used smartphone data to track US Securities and Exchange Commission personnel as they travelled around the country.

It doesn’t take much imagination to see how these relatively unsophisticated techniques could be used to identify and track US national security personnel. But a new report from a group of European investigative journalists lays bare how this is a global risk not just constrained to the free-market yahoos in North America.

The journalists behind the report, The Databroker Files, were able to amass 13 billion location records “from almost every EU country, the United States, and many other parts of the world”. They got this all for free, by posing as potential purchasers to data brokers.

The records covered high-profile locations including European Commission and NATO headquarters in Brussels. Every record was linked to a unique device identifier, making it trivial to build a pattern of daily life for an individual.

Within Brussels alone, the journalists were able to identify the home addresses of three senior EU employees, an EU member state diplomat, employees of the European Parliament and the EU’s diplomatic service, the European External Action Service.

Reporters involved in the Databroker Files looked at data from the Netherlands, Norway, Switzerland and Ireland and found similarly alarming results. The Swiss report contains a striking dots-on-a-map visualisation of an individual who was tracked throughout a typical day, from grocery shopping, to a fitness centre and work. The investigators were even able to identify when she went on holiday to Italy.

All of this was possible despite the EU’s General Data Protection Rule (GDPR), which is widely regarded as the model data privacy framework and has been emulated by other jurisdictions.

The report is intended as a wake-up call, but it is not surprising that this kind of analysis can be done. A 2022 Irish Council for Civil Liberties report into real-time bidding (RTB), one of the key mechanisms of internet advertising, found that Americans had their “online activity and location exposed 747 times every day” by RTB. Europeans fared better with 376 times per day. But they clearly weren’t beyond advertising’s dragnet.

For readers outside of the US, the take home message is that you do have a problem with the collection and sale of mobile geolocation data. You just don’t have comprehensive reporting about it yet.

The Unusual Suspects

Organised crime groups are collaborating with cybercriminals to facilitate the real-world theft of cargo from logistics companies, according to a new report from Proofpoint.

The cyber portion of the crime involves compromising trucking and logistics companies by installing and abusing legitimate remote monitoring and management tools. The threat actors then hijack the companies’ accounts on transport booking marketplaces and place bids for real loads. Proofpoint believes this process is used to identify and facilitate the theft of cargo loads that are likely to be profitable.

In US Senate testimony, Donna Lemm on behalf of The American Trucking Associations, said that “identify theft and advanced cyber tactics” are often used to facilitate what she called “strategic theft”.

One form of strategic theft that is often cyber-enabled is “double brokering fraud”. This can involve tricking unwitting carriers to transport the freight to a fraudulent address, where the criminal can take custody of the cargo. Lemm said criminals conducting this fraud are often outside the US and never physically touch the freight.

Cargo theft is big business, with an estimated USD$35 billion in annual losses. Of course, there are plenty of traditional ways to get the job done, but Proofpoint has observed that logistics entities are increasingly being targeted. It has identified almost two dozen campaigns since August this year. In July this year, it also reported on a different campaign focussed on high value electronics.

In her testimony, Lemm described an explosion of strategic theft and the rise of what she called organised theft groups (OTGs). Per her written testimony:

Some OTGs are so vast and sophisticated that they have established their own call centers to manage their illegal supply chains. In many cases, these groups also operate seemingly legitimate warehouses and online marketplaces to store and sell stolen goods. In these scenarios, stolen goods are often exported out of the United States, repackaged, and then sold, sometimes for more than market value.

Considering the scale of this enterprise it’s no surprise that these groups can afford to employ a few hacker nerd types to grease the wheels of their criminal enterprise. While we may be eternal cyber security optimists, we expect cyber-enabled real-world crime to continue growing.

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Edge’s scareware blocker works: Microsoft’s Edge browser now blocks scareware, malware that tries to frighten victims into buying unwanted software. The blocker is enabled by default on most Windows and Mac devices and uses a local computer vision model to spot the scams. Microsoft says it protects users “from fresh scams hours or even days before they appear on global blocklists”.
2. Conti ransomware affiliate extradited: A Ukrainian national has been extradited to the US from Ireland and charged with what the Department of Justice describes as “numerous” ransomware attacks. Lytvynenko was allegedly still involved in cybercrime up until his arrest by Irish police, even after Conti had folded.
3. On-premise Microsoft Exchange best practices: CISA and global partners have published a Microsoft Exchange security guide particularly targeted at on-premise Exchange servers. It’s a case of better late than never, but it is good to see that CISA has been able to produce anything amidst the federal government shutdown.

In this Risky Business sponsor interview, Casey Ellis chats to Sublime Security CEO and founder, Josh Kamdjou about how Sublime is seeing a massive surge in ICS or calendar invite phishing and how the email security platform can help.

Shorts

FCC’s Carr: US Telco Security Is Fixed Now

The US Federal Communications Commission will vote to eliminate a Biden-era ruling that telecommunications providers have an obligation to secure their networks.

That ruling, which was handed down in January this year, required that telcos “create, update and implement cybersecurity risk management plans”. It was driven by the discovery of Salt Typhoon, a Chinese state-backed group that has been hacking telcos in the US and globally. As recently as August this year, the FBI warned about the group’s outrageous success.

FCC Chairman Brendan Carr referred to the vote to eliminate the ruling in a “Halloween Treats” blog post. He wrote that undoing the ruling was, in part, because “following extensive FCC engagement”, US telcos had taken “substantial steps” to improve their cyber security.

That’s wonderful news! It is great to hear that telco security has improved so rapidly that the FCC is able to step back and wash its hands. Is there anything this administration can’t do?!

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS*, iTunes or Spotify). *

In our last “Between Two Nerds” discussion Tom Uren and The Grugq discuss the futility of using aggressive cyber operations to send messages between states.

Or watch it on YouTube!

From Risky Bulletin:

**US indicts two rogue cybersecurity employees for ransomware attacks: **The US Department of Justice has charged employees at two cybersecurity firms with hacking US companies and deploying ransomware.

According to court documents, charges have been levied against Kevin Tyler Martin, a former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former incident response manager at cybersecurity company Sygnia.

The two worked with a third suspect to hack into US companies, steal their data, encrypt computers, and then ask for huge ransoms in the realm of millions of US dollars.

[more on Risky Bulletin]

**Norway skittish of its Chinese electric buses: **Oslo’s public transportation agency conducted a security audit of its electric buses and, to nobody’s surprise, found that its Chinese models could be remotely disabled by their manufacturer.

According to a report from local newspaper Aftenposten, the agency, Ruter, tested and took two electric bus models inside a Faraday cage room.

Ruter found that electric buses from Chinese company Yutong could be remotely disabled via remote control capabilities found in the bus software, diagnostics module, and battery and power control systems.

[more on Risky Bulletin]

**Russia arrests Meduza Stealer group: **Russian authorities have arrested three individuals believed to have created and sold the Meduza infostealer.

The suspects were arrested this week in the Moscow metropolitan area, according to Russia’s Interior Ministry. A video from the raids is available on the Ministry’s media portal.

The Ministry’s spokesperson, Irina Volk, said the malware was used in attacks against at least one government network in the Astrakhan region. If found guilty, they can face prison sentences of up to five years.

This is no surprise since the group appears to have failed to implement a “don’t s**t where you eat” policy when they rented access to their infostealer via their Telegram channel.

[more on Risky Bulletin]