Threat Intelligence Report Q1 2025 – Quarterly Summary

1. Key Insights

• The Geopolitical rift between USA and Europe means Enterprises Europe are encouraged to explore possible strategies to deal with a potential future where storing data in US cloud services are no longer advisable.
• Ransomware groups are constantly attempting to adapt to various defensive measures.
• North Korea’s military hackers are conducting various forms of cybercrime, including ransomware attacks, to obtain crypto currency to pay for their program for Weapons of Mass Destruction.
• The race between China and USA to produce more powerful LLM means that there is a risk that securing these models becomes less important.
• Russian cyber espionage is attempting to trick users of the Signal messaging app to give them access to their accounts.

2. Geopolitical Rift Between USA and EU

The new Trump administration in USA has enacted several new policies that have served to throw doubt over the transatlantic link between USA and Europe. The Trump administration and EU also appear to increasingly have different tracks in their handling of the war in Ukraine. One result of this is that there is now doubt that the existing frameworks for storing data in a way that is compliant with GDPR in USA will remain in effect. This doesn’t mean that there will not be other mechanisms if that happen but is now doubt if and how US cloud providers will be compliant with GDPR in the future. There are also signals that US intelligence and counter-intelligence efforts may deprioritize Russia as a target and avoid publicly naming Russian actors. US intelligence has been a key provider of data about Russian cyber operations, and if these signals are correct, they may hamper identification of Russian operations going forward. There is also an industry in USA that brokers data from various online advertising companies and sell location data and browsing history of individuals to both government functions and private customers. This has been a growing concern for online privacy, but with a growing rift between USA and EU, this problem could become worse.

2.1 Recommended Actions

Differing laws on data privacy laws have been sources of contention between USA and EU before. It’s too early to predict how the volatile geopolitical situation will develop, but everything right now points to a more isolationist USA, increasingly uninterested in complying with EU privacy regulation. Enterprises in the Nordics and Europe are encouraged to explore possible strategies to deal with a potential future where storing data in US cloud services are no longer advisable.

3. Ransomware

The ransomware ecosystem continues to adapt to improved cybersecurity and new attacks on their infrastructure. BlackBasta one of the more prolific ransomware groups have used advanced social engineering, where they call people impersonating IT support convincing them to hand over control of their machines. A large part of the group appears to have left BlackBasta after their internal chat was revealed but members appear to have joined the Cactus group instead and brought their social engineering techniques with them. Evil Corp, one of the oldest cybercrime groups in the ransomware ecosystem have specialized in various forms of drive-by-download attacks, where the threat actor hacks web pages and place malicious code that prompts visitors to the web site to download a trojan, either by claiming they need to update their browser or solve a fake captcha. They are now expanding to infecting other devices than just windows machines, including MacOS, Linux and Android machines. A well-known so-called bulletproof hosting provider, that rents infrastructure for various cybercriminals, including ransomware groups, has begun to redirect their domains through Content Delivery Networks (CDN) like AWS, to make it harder to block malicious sites they host.

3.1 Recommended Actions

In 2024 we saw how improved cybersecurity led to fewer ransomware attacks on large enterprises in the Nordics that had improved their security. These new development shows that this is no time for organizations that have improved their cybersecurity to rest their laurels. Cybercriminals continue to adapt and find new ways to compromise environments, and defenders must strive to continue to stay on top on new developments. All devices with access to your systems should be protected, and ideally enrolled in a SOC, not just Windows devices.

4. North Korean Cybercrime

North Korea’s military intelligence RGB, includes several cyber operations groups that conduct both espionage and cybercrime. Collectively these cyber groups are often known as “Lazarus”. Recently, one such cyber group from RGB conducted a successful attack on the large crypto exchange The crypto currency exchange ByBit, that is based in Dubai. According to several sources the hackers managed to steal a record-breaking $1.4 billion in Ethereum crypto currency. Another North Korean cyber operations group belonging to RGB has reportedly conducted ransomware attacks, acting as affiliates to the Russian Quilin Ransomware-as-a-Service group. The Quilin RaaS group is also suspected of collaborating with the Russian government and have posted the Ministry of Foreign Affairs in Ukraine, on their data leak blog.

4.1 Recommended Actions

North Korean military hackers have been engaged in cybercrime for several years now, as they use cryptocurrency, either from theft or from extortion, to finance North Korea’s program for weapons of mass destruction. Russia’s increasing reliance on North Korean arms and personnel to bolster their efforts in the war in Ukraine, appears to have led to closer cooperation between the two countries in the realm of cybercrime too. State sponsored cyber operations groups, like those in North Korea’s RGB, pose a significant threat as they often have access to regular espionage tradecraft, such as various forms of elaborate social engineering, to conduct attacks. Raising awareness of social engineering attacks is important.

5. AI and LLM

China is increasingly competing with USA in ai research. The Chinese model of research backed by government funding is now trying to undercut the US research financed by venture capital, by providing free open-source LLM, like DeepSeek. This race is likely to enhance problems with monetizing ai models to finance the research. This in turn risks exacerbating existing problems with security in LLM, as securing these models is costly.

5.1 Recommended Actions

AI and LLM are powerful tools but should be implemented with care. New ways to subvert safeguards and security in LLM are constantly discovered. Always consider the risks in incorporating LLM exposed to the internet into your risk assessment. Stay informed about future developments in AI research and how to avoid leaking sensitive data.

6. Russia Attempts to Compromise Signal Users

An unknown Russian threat actor, possibly associated with the Russian military intelligence GRU, has begun using a novel tactic to compromise accounts of the Signal messaging app. Signal is a popular application for sensitive messages. The attack vector involves the abuse of the app’s legitimate “linked devices” feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance. Malicious QR codes have frequently been masked as legitimate Signal resources, such as group invites, security alerts, or as legitimate device pairing instructions from the Signal website. If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise.

6.1 Recommended Actions

With the reveal that highly placed individuals in the Trump administration in USA have used Signal for highly sensitive contacts between themselves, it is likely that Signal will be an even larger target for various forms of exploitation. If you or your organization relies on Signal for sensitive communication, please be aware of this technique and be wary of all unsolicited group invites or other QR codes from the app. Signal is still a relatively secure form of communication, but your phone is often not secure. By compromising a phone or tricking it’s user, threat actors can circumvent the protection of any messaging app.

References

Geopolitical Rift Between USA and EU

• TS-ThreatInsight-2025-14: GDPR Information in US Cloud Services
• TS-ThreatInsight-2025-13: Potential Shift in US Cyber Operations
• TS-ThreatInsight-2025-1: Large Data Broker of Mobile Location Data Hacked

Ransomware

• TS-ThreatInsight-2025-10: Internal Messages of the Black Basta Ransomware Group Leaked
• TS-ThreatInsight-2025-8: Evil Corp Expands Drive-by-Download Attacks to other OS
• TS-ThreatInsight-2025-3: New Drive-by-Download Campaign may Lead to Ransomware
• TS-ThreatInsight-2025-6: Cybercriminals use CDN to Bypass Site Blocking

North Korean Cybercrime

• TS-ThreatInsight-2025-15: North Korean Hackers Collaborate with Ransomware Group
• TS-ThreatInsight-2025-12: North Korean Cyber Heist on Crypto Currency Exchanges

AI and LLM

• TS-ThreatInsight-2025-4: The New DeepSeek R1 AI Platform

Russia Attempts to Compromise signal Users

• TS-ThreatInsight-2025-9: Russian Intelligence Compromises Signal Accounts