CyberBakery Chronicles (02 May 2025)

Your Weekly Cybersecurity Update (02 May 2025)

• CISO aka ‘Chief Scapegoat Officer’

• Canadian Electric Utility Hit by Cyberattack

• Putin's Cyberattacks on Ukraine Increase by 70% but Have Little Impact

• Marks & Spencer breach linked to Scattered Spider ransomware attack

• Exploitation of IPv6 SLAAC by Chinese Hackers for Man-in-the-Middle Attacks Using Spellbinder Tool

CISO aka ‘Chief Scapegoat Officer’

At the RSA Conference 2025, a panel of Chief Information Security Officers (CISOs) convened to discuss the precarious position many security leaders find themselves in—often serving as the fall guys when things go south. The session, aptly titled “How to Survive as a CISO aka ‘Chief Scapegoat Officer’,” shed light on the ethical dilemmas and professional risks inherent in the role.

Dd Budiharto, former CISO at Marathon Oil and Phillips 66, shared her experience of being terminated for refusing to approve fraudulent invoices. Despite facing retaliation and false accusations, her strong internal relationships and decision not to pursue legal action preserved her professional reputation. She emphasised the importance of personal integrity and the challenges of making tough decisions without the safety net of a “golden parachute.”

Andrew Wilder, CISO at Vetcor and cybersecurity adjunct professor, advised that CISOs should secure Directors and Officers (D&O) insurance and Personal Legal Liability Insurance (PLLI) upon joining a company. These policies, standard for corporate officers, provide protection during and after tenure, especially crucial given organisations' tendency to scapegoat CISOs following security breaches.

The panel underscored that while whistleblowing is a moral imperative, it carries significant risks, including potential blacklisting. Therefore, CISOs must be strategic, ensuring they have legal protections and support systems in place to navigate the complex landscape of corporate cybersecurity ethics.

Canadian Electric Utility Hit by Cyberattack

On April 25, 2025, Nova Scotia Power, along with its parent company Emera, reported that they had detected unauthorised access to several segments of their Canadian network and servers that are essential for various business applications. Upon discovering the breach, the companies acted swiftly by shutting down the affected servers and isolating them from their main network to prevent any further unauthorised access and to contain the situation.

This cyberattack significantly disrupted a number of critical IT systems, with the most notable impacts felt on the customer care phone line and the online customer portal. These disruptions created challenges for many customers attempting to reach support or manage their accounts online. As of the latest update on April 28, restoration efforts were still underway, with teams working diligently to restore full functionality to the affected systems.

Despite the complications resulting from the cyberattack, Nova Scotia Power and Emera confirmed that their physical operations, including electricity generation, transmission, and distribution, were not affected. Key facilities, such as the Maritime Link and the Brunswick Pipeline, continued to operate normally and without interruption. Moreover, all of Emera’s utility operations in the United States and the Caribbean remained completely unaffected by this incident, ensuring that service delivery in those regions continued smoothly.

In light of this event, Nova Scotia Power is actively investigating the possibility that customer data or sensitive business information may have been compromised during the incident. Given that the utility’s online “MyAccount” portal enables secure payment transactions, there are rising concerns about the potential exposure of confidential financial information for hundreds of thousands of customers. The company is taking this matter seriously and is working to assess and rectify any security vulnerabilities.

While the precise details regarding the nature of the cyberattack have not been made public, it is important to note that, as of now, no known ransomware group has taken responsibility for the attack. This incident serves as a stark reminder of the growing trend of cybercriminals targeting entities within the energy sector. It highlights the urgent need for enhanced cybersecurity measures to protect critical infrastructure from such threats, ensuring the safety and reliability of services for all customers.

Putin's Cyberattacks on Ukraine Increase by 70% but Have Little Impact

In 2024, the number of Russian cyberattacks on Ukraine surged by approximately 70%, reflecting an aggressive escalation in digital hostilities amid ongoing geopolitical tensions. However, despite this increase in the volume of attacks, their effectiveness diminished significantly, as evidenced by the historic low of only 84 incidents classified as critical. This drastic drop highlights a notable shift in the quality of the cyber efforts being employed.

According to data released by Ukraine's Computer Emergency Response Team (CERT-UA), a total of 4,315 cyber incidents were traced back to Russian intelligence services, a substantial rise from the 2,543 incidents reported in 2023. This considerable increase in cyber activity can be further broken down: the latter half of 2024 alone experienced a staggering 48% rise in attacks compared to the first half, pointing to a possible intensification of cyber operations as the year progressed.

Victor Zhora, the former deputy chairman of Ukraine’s State Special Communications Service, stressed the critical role that cyber operations play in Russia's overall strategy for conventional warfare. These cyber efforts are aimed at disrupting Ukrainian military capabilities and gaining strategic advantages on the battlefield. Notably, despite the heightened frequency of cyberattacks, Ukraine's advancements in cybersecurity measures have proven effective in reducing the negative impact of these incidents.

Analysts have indicated that a potential reason for the diminishing effectiveness of Russian cyberattacks is their growing dependence on automated tools and the use of repetitive tactics. This reliance on predictable methods may hinder their ability to achieve significant breaches or disruptions. Nonetheless, the continuing focus on high-value government and military targets underscores the ongoing threat posed by these cyber operations, highlighting the necessity for Ukraine to maintain vigilance and continuously enhance its defences against evolving cyber threats.

Marks & Spencer breach linked to Scattered Spider ransomware attack

Marks & Spencer (M&S), a prominent British retailer, has been grappling with a significant cyberattack attributed to the hacking group known as Scattered Spider. The attack has led to widespread operational disruptions, including the suspension of online orders and challenges in in-store services.

Nature of the Attack

The cyberattack, which began in April 2025, involved the deployment of ransomware that encrypted M&S’s servers. Investigations suggest that the attackers initially breached the company’s systems as early as February, extracting the NTDS.dit file—a critical component of Windows Active Directory that contains password hashes. By cracking these hashes, the hackers gained access to various systems within M&S’s network. 

The ransomware used in this attack is identified as DragonForce, which was deployed to encrypt virtual machines on M&S’s VMware ESXi hosts. 

Impact on Operations

As a result of the attack, M&S experienced significant disruptions:

• Online Services: The retailer suspended online clothing and homeware orders. 

• In-Store Services: Contactless payment systems were temporarily affected, and some stores reported shortages of popular items like Percy Pig sweets and Colin the Caterpillar cakes. 

• Workforce: Approximately 200 warehouse workers were instructed to stay home due to operational challenges. 

• Recruitment: M&S paused new hiring and took its recruitment systems offline. 

Financial Repercussions

The cyberattack has had substantial financial implications for M&S:

• Market Valuation: The company’s market value dropped by nearly £700 million, with shares falling 7% since the incident began. 

• Daily Losses: Estimates suggest daily losses exceeding £3 million due to halted online sales and operational disruptions. 

About Scattered Spider

Scattered Spider is a hacking collective comprising primarily young, English-speaking individuals from the U.S. and the UK. The group is known for employing sophisticated social engineering tactics, including phishing and SIM swapping, to infiltrate corporate networks. 

Notably, members of Scattered Spider have been linked to previous high-profile cyberattacks on organisations such as MGM Resorts and Caesars Entertainment. 

Response and Mitigation

In response to the attack, M&S has engaged cybersecurity firms, including CrowdStrike, Microsoft, and Fenix24, to assist in investigating and mitigating the breach. The UK’s National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) are also involved in the ongoing investigation. 

M&S CEO Stuart Machin has urged customers to shop in-store while online services remain disrupted, emphasising the company’s commitment to resolving the issue promptly. 

This incident underscores the growing threat of cyberattacks on major retailers and the importance of robust cybersecurity measures to protect critical infrastructure and customer data.

Exploitation of IPv6 SLAAC by Chinese Hackers for Man-in-the-Middle Attacks Using Spellbinder Tool

Chinese state-sponsored hackers, identified as the advanced persistent threat (APT) group “TheWizards,” have been exploiting the IPv6 Stateless Address Autoconfiguration (SLAAC) protocol to conduct adversary-in-the-middle (AitM) attacks using a tool named “Spellbinder.” 

Exploiting IPv6 SLAAC via Spellbinder

Spellbinder leverages IPv6 SLAAC by sending spoofed ICMPv6 Router Advertisement (RA) messages. These messages trick devices into recognising the attacker’s system as the default gateway, enabling the interception and redirection of network traffic. This method allows attackers to manipulate legitimate software update processes, redirecting them to malicious servers under their control.

Targeted Software and Malware Deployment

TheWizards have specifically targeted popular Chinese software applications, including Sogou Pinyin and Tencent QQ. By hijacking their update mechanisms, the attackers deliver a modular backdoor known as “WizardNet.” This backdoor is capable of executing .NET payloads, facilitating further malicious activities on the compromised systems. 

Attack Methodology

The attack sequence involves delivering a ZIP archive containing four files: AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. Upon execution, winpcap.exe is installed, and AVGApplicationFrameHost.exe is used to sideload wsc.dll. This DLL reads and executes shellcode from log.dat, initiating the Spellbinder tool. Spellbinder then captures and manipulates network packets, particularly DNS queries, to redirect traffic to attacker-controlled servers.

Broader Implications

TheWizards have been active since at least 2022, targeting sectors such as gambling and individuals in regions including Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates. Their use of IPv6 SLAAC for lateral movement and traffic interception underscores the need for heightened awareness and security measures concerning IPv6 protocols.