CyberBakery Chronicles (09 June 2025)

Your Weekly Cybersecurity Update (09 June 2025)

• Researchers Detail Bitter APT’s Evolving Tactics as Their Geographic Scope Expands

• OpenAI Suspends ChatGPT Accounts Connected to State-Supported Hacking and Misinformation

• New Destructive Malware: PathWiper Targets Ukrainian Critical Infrastructure

• Germany fines Vodafone $51 million for privacy and security violations

• ANU Investigates Possible Hacking Incident Involving Vice-Chancellor's LinkedIn Profile

Researchers Detail Bitter APT’s Evolving Tactics as Their Geographic Scope Expands

The threat actor known as Bitter is a state-backed hacking group that gathers intelligence on behalf of the Indian government. This assessment comes from a joint analysis by Proofpoint and Threatray.

Bitter, also known as APT-C-08 and other aliases, primarily targets South Asian entities but has expanded its focus to include China, Saudi Arabia, South America, and recently, Turkey, using malware families like WmRAT and MiyaRAT.

The group typically conducts targeted attacks on governments, diplomatic entities, and defence organisations to collect intelligence on foreign policy. Their tactics often involve spear-phishing emails sent from various providers, including compromised accounts linked to Pakistan, Bangladesh, and Madagascar. Additionally, Bitter has been known to impersonate government officials from countries like China and South Korea to trick victims into opening malware-laden attachments.

“Based on the content and decoy documents, TA397 is clearly willing to impersonate other countries’ governments, including Indian allies,” stated the enterprise security company.

“Although TA397 targeted Turkish and Chinese entities in Europe, this indicates they likely have insight into the legitimate activities of Madagascar and Mauritius, which they use for spear-phishing operations.”

Bitter has been seen actively engaging in two campaigns against government organisations, conducting reconnaissance and deploying malware like KugelBlitz and BDarkRAT—a .NET trojan identified in 2019. This malware enables remote access to gather system information, execute commands, and manage files on compromised hosts.

The ORPCBackdoor has been linked to a threat actor known as Mysterious Elephant by the Knownsec 404 Team, which has ties to other India-aligned groups, including SideWinder, Patchwork, Confucius, and Bitter.

Analysis shows that this group operates primarily during standard business hours (Monday to Friday) in Indian Standard Time (IST), coinciding with WHOIS domain registrations and TLS certificate issuances. Researchers suggest that this espionage-focused actor likely operates on behalf of an Indian intelligence organisation, with most infrastructure activities occurring during IST business hours.

OpenAI Suspends ChatGPT Accounts Connected to State-Supported Hacking and Misinformation

OpenAI has recently taken action against numerous ChatGPT accounts linked to state-sponsored hacking and disinformation campaigns. These accounts, associated with actors from China, Russia, North Korea, Iran, and the Philippines, were found exploiting ChatGPT for various malicious activities. 

Key Findings from OpenAI’s Investigation

1. Social Media Manipulation: OpenAI identified and banned accounts that utilised ChatGPT to generate large volumes of social media content designed to influence public opinion. Notably, Chinese-linked accounts produced posts in multiple languages, including English, Chinese, and Urdu, on topics such as U.S. political divisions, criticisms of Taiwan, and commentary on Pakistani activist Mahrang Baloch. These posts appeared on platforms like TikTok, X (formerly Twitter), Reddit, and Facebook. Similar activities were observed among Russian, Iranian, and Philippine actors, targeting issues such as NATO criticism and domestic political support. 

2. Cyberattack Facilitation: State-affiliated hacking groups, including China’s APT5 (Keyhole Panda) and APT15 (Vixen Panda), utilised ChatGPT to enhance their cyberattack capabilities. They sought assistance in developing scripts for brute-force attacks, scanning servers, conducting AI-driven penetration testing, and automating social media operations. Russian hackers used the platform to refine malware, debug code, and establish command-and-control infrastructures, often employing tactics to avoid detection, such as using temporary email addresses and limiting conversations per account. 

3. Employment Scams and Fraud: Actors from North Korea and Cambodia exploited ChatGPT to create fraudulent job applications and resumes, aiming to infiltrate Western companies. Additionally, Cambodian-based operations used the tool to generate and translate social media comments as part of financial fraud schemes. 

OpenAI’s Response and Security Measures

OpenAI has disabled all identified accounts involved in these activities and shared relevant information with industry partners to bolster collective cybersecurity efforts. The company emphasised that, while these actors leveraged ChatGPT for malicious purposes, the AI did not provide them with capabilities beyond what is accessible through publicly available resources. 

This development underscores the growing concern over the misuse of AI technologies by state-sponsored entities, highlighting the importance of ongoing vigilance and collaboration within the cybersecurity community.

New Destructive Malware: PathWiper Targets Ukrainian Critical Infrastructure

A newly identified malware strain named PathWiper has been deployed in an attack targeting a critical infrastructure organisation in Ukraine, continuing a troubling trend of state-aligned cyber aggression. The malware, discovered and analysed by Cisco Talos, is considered highly destructive, and its operational characteristics strongly suggest links to Russia-affiliated APT groups, possibly tied to the infamous Sandworm/APT44 threat cluster.

Key Characteristics of PathWiper

• Deployment Method: PathWiper is executed on target systems via a Windows batch file that launches a malicious VBScript (uacinstall.vbs). This script drops and executes the primary payload (sha256sum.exe). The execution mimics the behaviour and names associated with legitimate administrative tools to evade detection.

• Destructive Capabilities: Unlike previous wipers such as HermeticWiper, which enumerated physical drives, PathWiper programmatically identifies all connected drives and volumes, including removable and network drives. It then corrupts the Master Boot Record (MBR) and NTFS-related artifacts, rendering the system unbootable and data unrecoverable.

• Use of Legitimate Tools: The malware utilises a legitimate endpoint administration tool for deployment, indicating that the attackers had previously compromised the system to gain administrative access.

Attribution and Context

Cisco Talos researchers compare PathWiper to HermeticWiper, previously deployed in Ukraine by the ‘Sandworm’ threat group, suggesting that PathWiper may be an evolution of HermeticWiper used by the same or overlapping threat clusters.

This development underscores the persistent cyber threats facing Ukraine’s critical infrastructure, highlighting the need for robust cybersecurity measures and international cooperation to mitigate such attacks.

Germany fines Vodafone $51 million for privacy and security violations

Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) has imposed a record €45 million ($51.4 million) fine on Vodafone GmbH, the German subsidiary of Vodafone Group, for significant violations of the General Data Protection Regulation (GDPR). 

Breakdown of the Fines

1. €15 Million Fine – Inadequate Oversight of Partner Agencies

   Vodafone was penalised €15 million for failing to supervise its partner agencies properly. Employees within these agencies engaged in fraudulent activities, including creating fictitious contracts and making unauthorised changes to customer agreements, leading to financial harm for customers.

2. €30 Million Fine – Security Vulnerabilities in Customer Systems

   An additional €30 million fine was levied due to security flaws in Vodafone’s “MeinVodafone” online portal and customer hotline. These vulnerabilities allowed unauthorised individuals to access customer eSIM profiles, posing significant risks to personal data security.

Vodafone’s Response and Remedial Actions

Vodafone has acknowledged the breaches and cooperated fully with the BfDI throughout the investigation. The company has taken several corrective measures, including:

• Overhauling its data protection protocols.

• Enhancing the selection and auditing processes for partner agencies.

• Terminating relationships with agencies involved in fraudulent activities.

• Implementing stronger authentication measures for customer systems. 

Furthermore, Vodafone has already paid the fines in full and donated several million euros to organisations promoting data protection, media literacy, and anti-cyberbullying initiatives. 

Regulatory Perspective

Prof. Dr. Louisa Specht-Riemenschneider, the Federal Commissioner for Data Protection and Freedom of Information, emphasised the importance of enforcing data protection laws to maintain user trust in digital services. She noted that while sanctions are necessary when breaches occur, the ultimate goal is to prevent such incidents through proactive compliance and robust data protection measures. 

This case highlights the crucial importance of companies to maintain stringent oversight of third-party partners and secure customer data systems, in line with GDPR requirements.

ANU Investigates Possible Hacking Incident Involving Vice-Chancellor's LinkedIn Profile

The Australian National University (ANU) is investigating a potential cyber incident involving Vice-Chancellor Genevieve Bell’s LinkedIn account. The account reportedly “liked” several posts containing offensive content related to Gaza and ANU Chancellor Julie Bishop—interactions that Bell asserts she did not initiate. ANU has reported the incident to the Australian Cyber Security Centre and has initiated an internal investigation.

This incident occurs amid significant institutional changes at ANU, including a $100 million cost-cutting initiative under the Renew ANU plan and the release of a critical report highlighting issues of sexism and racism within the former College of Health and Medicine. Vice-Chancellor Bell has acknowledged the challenges facing the university and emphasised the importance of respectful dialogue during this period of transformation. 

Given the increasing prevalence of cyber threats targeting academic institutions, it’s crucial for individuals and organisations to adopt robust cybersecurity measures. Here are some recommended tools and services to enhance digital security:

Implementing these tools and services can significantly enhance the security posture of individuals and organisations, helping to protect against unauthorised access and potential cyber threats.