Cybersecurity Risks

🇷🇺 🗞️ How Russia selectively controls the impunity enjoyed by Cybercriminals: an enlightening report issued this week by INSIKT Group / Recorded Future, documenting how the Russian cyber-criminal ecosystem shifted from broad tolerance to managed control. 🔎 Research from May 2024–Sept 2025 using data from dark-web forums, leaked chats, public enforcement.. It sheds light on Operation Endgame, a multinational takedown effort from May 2024 & shows how it changed ground dynamics 🔹It targeted loaders, enablers, money-mules and infrastructure 🔹The actions signalled to the ecosystem: the cost-benefit calculus for operating from/within Russia has shifted; enforcement is not zero-risk. 🔹The selective pressure triggered changes in the underground: fragmentation, tighter vetting, paranoia, evolving ransomware TTPs, group rivalries, payment/target strategies 🔹The “politics of protection” = enforcement or lack thereof signals which actors are expendable and which are strategically useful. Take-aways 1️⃣ A managed market 🔹 🇷🇺cyber-criminal ecosystem has evolved from near-blanket tolerance toward selective State management: actors with little strategic value are targeted, those providing intelligence, geopolitical leverage & state utility are insulated. 🔹protection no longer depends on location. 🔹Direct, task-level coordination between cyber-criminal leadership and Russian intelligence. In addition, the“Dark Covenant” model (direct, indirect, tacit links) remains operative. 2️⃣ Underground ecosystem adapts 🔹Affiliates are less visible; open-call RaaS (ransomware-as-a-service) programs declined in public forums 🔹Operators have heightened vetting: deposits, KYC-lite checks, stricter inactivity rules. 🔹Business rules: some ransomware programs explicitly exclude nonprofits, healthcare, government entities; minimum ransom demands; anti-collision rules. These act as both reputational hedges and political boundary markers. 🔹Impersonator groups proliferate: façade ransomware groups or “scam” groups trying to ride brand equity = erodes trust & raises barriers to entry. 🔹Forum discussions show increased emphasis on OPSEC: moving to decentralized communication: burner phones, hidden volumes.. 3️⃣ Enforcement signals / “politics of protection” • Russian authorities have taken visible action against certain monetisation/enabler nodes (e.g., Cryptex, UAPS) • By contrast, core high-value ransomware groups (Conti, Trickbot) have avoided this= insulation via state-links. 4️⃣ Cyber-criminal groups are increasingly embedded in Russia’s geopolitical strategy 🔹 arrests, releases, negotiations align with diplomatic cycles, prisoner exchanges. 🔹Cyber-crime = a hybrid instrument of state influence, intelligence gathering, plausible deniability & leverage. ➡️ defenders should understand the state-criminal bargain 🔹Disruption strategies need to target also the enablers (cash-out, money-laundering, hosting) 📰 ☕️ enjoy the weekend read!

All risk is enterprise risk. Cybersecurity Risk Management (CSRM) must be part of Enterprise Risk Management (ERM). Many companies think managing cyber risks is: ╳ Just an IT problem. ╳ Isolated from other risks. ╳ A low-priority task. But in reality, it is: ☑ A key part of the entire risk strategy. Here are the key steps to integrate cybersecurity risk into enterprise risk management: 1. Unified Risk Management ↳ Integrating CSRM into ERM helps handle all enterprise risks effectively. 2. Top-Level Involvement ↳ Top management must be involved in managing cyber risks along with other risks. 3. Contextual Consideration ↳ Cyber risks should be considered in the context of the enterprise's mission, financial, reputational, and technical risks. 4. Aligned Risk Appetite ↳ Align risk appetite and tolerance between enterprise management levels and cybersecurity systems. 5. Holistic Approach ↳ Adopt a holistic approach to identify, prioritize, and treat risks across the organization. 6. Common Risk Language ↳ Establish a common language around risk that permeates all levels of the organization. 7. Continuous Improvement ↳ Monitor, evaluate, and adjust risk management strategies continuously. 8. Clear Governance ↳ Ensure clear governance structures to support proactive risk management. 9. Digital Dependency ↳ Understand how cybersecurity risks affect business continuity, customer trust, and regulatory compliance. 10. Strategic Enabler ↳ Prioritize risk management as both a strategic business enabler and a protective measure. 11. Risk Register ↳ Use a unified risk register to consolidate and communicate risks effectively. 12. Organizational Culture ↳ Foster a culture that values risk management as important for achieving strategic goals. Integrating cybersecurity risk into enterprise risk management isn't just a technical task. It's a strategic necessity. 💬 Leave a comment — how does your company handle cyber risk? ➕ Follow Andrey Gubarev for more posts like this

The National Institute of Standards and Technology (NIST) has released a draft of its “Cybersecurity Framework Profile for Artificial Intelligence” (open for public comment until Jan 30, 2026) to help organizations think about how to strategically adopt AI while addressing emerging cybersecurity risks that stem from AI’s rapid advance. Building on the #NIST Cybersecurity Framework 2.0, the Cyber AI Profile translates well-established risk management concepts into AI-specific cybersecurity considerations, offering a practical reference point as organizations integrate AI into critical systems and confront AI-enabled threats. The Cyber AI Profile centers on three focus areas: • Securing AI systems: identifying cybersecurity challenges when integrating AI into organizational ecosystems and infrastructure. • Conducting AI-enabled cyber defense: identifying opportunities to use AI to enhance cybersecurity, and understanding challenges when leveraging AI to support defensive operations. • Thwarting AI-enabled cyberattacks: building resilience to protect against new AI-enabled threats. The Profile complements existing NIST frameworks (CSF, AI RMF, RMF) by prioritizing AI-specific cybersecurity outcomes rather than creating a standalone regime.

🚨 🇷🇺 - New Recorded Future Insikt Group report! I’m very excited and proud to unveil the third iteration of our landmark Dark Covenant series — examining the evolving relationship between the Russian state and cybercriminal underground. This is an important read, and a long time coming. Please read and share with your networks! Russia is no longer merely a safe haven for cybercrime — it now operates a managed market in which protection and punishment depend on political utility to the Kremlin. Following the multinational Operation Endgame campaign, Russian authorities staged a series of high-profile arrests and seizures. But our report makes clear that these actions are less about enforcement and more about optics. Moscow’s response reflects a politics of protection: expendable enablers are sacrificed to deflect Western pressure, while ransomware ecosystems with intelligence or geopolitical value remain untouched, even insulated. Leaked communications show coordination between criminal leaders and Russian intelligence intermediaries, as well as bribery, tasking, and mutual exchange of information. The result is a cyber underworld increasingly fractured by paranoia. Affiliates accuse operators of theft, betrayal, and impersonation, while recruitment networks have shifted from open advertisement to tightly vetted, Russian-speaking circles. Deposits and collateral have replaced reputation as the currency of trust. Ransomware groups now decentralize infrastructure, adopt stricter operational security, and move to decentralized communication platforms to mitigate infiltration risks. Yet despite this turmoil, ransomware remains profitable and strategically useful — serving as a tool of state influence, intelligence collection, and economic coercion. What emerges is a portrait of an ecosystem under control but not dismantled. Russian law enforcement selectively enforces the law to maintain equilibrium — detaining cybercriminals when politically necessary, releasing them when convenient, and even using some as assets in prisoner exchanges. Dark Covenant 3.0 underscores that Russian cybercrime cannot be understood in isolation from the state. It is both a profit-driven economy and a tool of foreign policy — an auxiliary intelligence resource, an influence vector, and a means of signaling resilience under sanctions. Western policymakers must therefore treat cybercrime as part of the broader Russian strategic toolkit, not a law enforcement nuisance. Countering this “controlled impunity” will require sustained transparency, coordination, and offensive cyber deterrence — not only to disrupt infrastructure, but to expose the networks of protection, patronage, and coercion that allow them to endure. Moscow’s fusion of statecraft and cybercrime represents one of the clearest examples of how authoritarian regimes weaponize criminality as a pillar of hybrid power.

The recent regulatory guidelines, viz RBI Master Directions of Nov 2023 and SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) of Aug 2024 lay added importance to cyber resilience, business continuity and disaster recovery, incident response and recovery from cyber incidents. Boards are being increasingly attentive and seeking deeper insights on the organizations' preparedness to respond to and recover from cyber incidents. Being part of the Boards of regulated entities, I saw this quarter's IT Strategy and Technology Committee meetings, as well as the Board meetings delve deep and enquiring with the security and technology leadership and sometimes, directly from the MD/CEO, on : 1. Cyber incidents reported, their impact and root-cause assessments. Note : for the organizations, these were mostly hits or false positives. 2. Resilience scores, with Q-o-Q and Y-o-Y comparatives 3. Business Continuity Drills and results 4. Disaster Recovery exercises and results 5. Health check report on the primary as well as the recovery sites, including cloud DR assessments 6. Cyber / technology risk assessments 7. Compliance and reporting (technology) 8. Ongoing governance and improvement around the Cyber Crisis Management Plan (or similar plan, by whatever nomenclature it's defined) 9. Adequacy of technology & security resourcing and training 10. Data protection, with special emphasis on vendor / third party access to critical data & resources and controls around the same The above were some of the top discussion points, but not the only ones. As Boards are made more and more involved and responsible over governance of the organizations' cyber security, resilience, technology governance and risk assurance, Board members will engage more regularly on discussions about cyber risks, inquire of the management their capacity-capability-readiness to respond to and recover effectively from cyber incidents. And above all, the Board would like to ensure compliance to all the relevant regulatory provisions, including on technology and #cybersecurity. To all Technology and Security leaders - the message is very clear, the regulators and the Boards would like to see much more than mere tick mark exercise, specially if you're a regulated entity. - read through each clause in the directions & circulars from regulators - assess thoroughly your current status, including process, operations, technology architecture, procedures, documentation et all - perform risk assessment - technology and operations, over each part of your business - conduct data flow analysis, ascertain your data protection strategy - analyze your third party / vendor connections at all business touchpoints Once you analyze your current state, compare with the requirements given by regulatory directions. Then, step-by-step, put in the measures, updates, upgrades. These are critical steps and require expert acumen - take help from external experts, as required. #technologygovernance

Spot the difference? Sometimes the only difference between a safe site and a fake one is a single letter. And in some cases, it is not even the same alphabet. Cyber criminals now register domains that look identical to trusted brands, swapping one character for a Cyrillic or Greek equivalent, or using tricks like “rn” instead of “m”,. On a mobile screen or in a rush, your brain fills in the gaps and you click before you think. That is all they need. A few practical habits that really help: 🔍 Never trust the blue text alone What you see in an email can be different to the real link underneath. Hover over it on a laptop or long press on mobile and check the actual address before you click. ✉️ Be suspicious of “urgent” emails Anything that pressures you to act quickly, re-enter your password, or confirm bank details should ring alarm bells. Slow down, even if it seems to be from a familiar brand. 🌐 Type it yourself for anything important For banking, payments, HR portals or anything sensitive, do not use the link in the email. Open a fresh browser window and type the address manually or use a saved bookmark. 🔐 Use multi-factor authentication If someone does trick you into entering credentials, MFA can be the barrier that stops them getting into your account. The tech behind cyber crime keeps evolving, but the weakest link is still human behaviour. Share this with your team and remind them that one careless click can open the door to your entire organisation. Utilize Plc National Cyber Security Centre National Crime Agency (NCA)

A Hacker Group Within Russia’s Notorious Sandworm Unit Is Breaching Western Networks A team Microsoft calls BadPilot is acting as Sandworm's “initial access operation,” the company says. And over the last year it's trained its sights on the US, the UK, Canada, and Australia Over the last decade, the Kremlin's most aggressive cyberwar unit, known as Sandworm, has focused its hacking campaigns on tormenting Ukraine, even more so since Russian president Vladimir Putin's full-scale invasion of Russia's neighbor. Now Microsoft is warning that a team within that notorious hacking group has shifted its targeting, indiscriminately working to breach networks worldwide—and, in the last year, has seemed to show a particular interest in networks in English-speaking Western countries. On Wednesday, Microsoft's threat intelligence team published new research into a group within Sandworm that the company’s analysts are calling BadPilot. Microsoft describes the team as an “initial access operation” focused on breaching and gaining a foothold in victim networks before handing off that access to other hackers within Sandworm’s larger organization, which security researchers have for years identified as a unit of Russia’s GRU military intelligence agency. After BadPilot's initial breaches, other Sandworm hackers have used its intrusions to move within victim networks and carry out effects such as stealing information or launching cyberattacks, Microsoft says. Microsoft didn't name any specific victims of BadPilot's intrusions, but broadly stated that the hacker group's targets have included “energy, oil and gas, telecommunications, shipping, arms manufacturing,” and “international governments.” On at least three occasions, Microsoft says, its operations have led to data-destroying cyberattacks carried out by Sandworm against Ukrainian targets. Microsoft warns that BadPilot has specifically exploited a vulnerability in the remote access tool Connectwise ScreenConnect and Fortinet FortiClient EMS, another application for centrally managing Fortinet's security software on PCs. After exploiting those vulnerabilities, Microsoft found that BadPilot typically installs software that gives it persistent access to a victim machine, often with legitimate remote access tools like Atera Agent or Splashtop Remote Services. In some cases, in a more unique twist, it also sets up a victim's computer to run as so-called onion service on the Tor anonymity network https://lnkd.in/gNKqqPP9 #cybersecurity #Russia #BadPilot #GRU #West #English #US #UK #Australia #Canada

Intelligence agencies and the FBI, DOJ and CISA have revealed that unit 29155 of Russia’s GRU—a unit responsible for coup attempts, assassinations, and bombings—is now engaged in brazen hacking operations with targets across the world, including in Ukraine and the US. A broad group of Western government agencies from countries including the US, the UK, Ukraine, Australia, Canada, and five European countries on Thursday revealed that a hacker group that has launched multiple hacking operations targeting Ukraine, the US, and other countries in Europe, Asia, and Latin America is in fact part of the GRU's Unit 29155, the division of the spy agency known for its brazen acts of physical sabotage and politically motivated murder. That unit has been tied in the past, for instance, to the attempted poisoning of GRU defector Sergei Skripal with the Novichok nerve agent in the UK, which led to the death of two bystanders, as well as another assassination plot in Bulgaria, the explosion of an arms depot in the Czech Republic, and a failed coup attempt in Montenegro. Now that infamous section of the GRU appears to have developed its own active team of cyber warfare operators. Since 2022, GRU Unit 29155's more recently recruited hackers have taken the lead on cyber operations, including with the data-destroying wiper malware known as Whispergate, which hit at least two dozen Ukrainian organizations on the eve of Russia's February 2022 invasion, as well as the defacement of Ukrainian government websites and the theft and leak of information from them under a fake “hacktivist” persona known as Free Civilian. "Special forces don’t normally set up a cyber unit that mirrors their physical activities,” one official tells WIRED. “This is a heavily physical operating unit, tasked with the more gruesome acts that the GRU is involved. I find it very surprising that this unit that does very hands-on stuff is now doing cyber things from behind a keyboard.” https://lnkd.in/ehvpRzeJ

Three weeks ago, our Devsinc security architect, walked into my office with a chilling demonstration. Using quantum simulation software, she showed how RSA-2048 encryption – the same standard protecting billions of transactions daily – could theoretically be cracked in just 24 hours by a sufficiently powerful quantum computer. What took her classical computer billions of years to attempt, quantum algorithms could solve before tomorrow's sunrise. That moment crystallized a truth I've been grappling with: we're not just approaching a technological evolution; we're racing toward a cryptographic apocalypse. The quantum computing market tells a story of inevitable disruption, surging from $1.44 billion in 2025 to an expected $16.22 billion by 2034 – a staggering 30.88% CAGR that signals more than market enthusiasm. Research shows a 17-34% probability that cryptographically relevant quantum computers will exist by 2034, climbing to 79% by 2044. But here's what keeps me awake at night: adversaries are already employing "harvest now, decrypt later" strategies, collecting our encrypted data today to unlock tomorrow. For my fellow CTOs and CIOs: the U.S. National Security Memorandum 10 mandates full migration to post-quantum cryptography by 2035, with some agencies required to transition by 2030. This isn't optional. Ninety-five percent of cybersecurity experts rate quantum's threat to current systems as "very high," yet only 25% of organizations are actively addressing this in their risk management strategies. To the brilliant minds entering our industry: this represents the greatest cybersecurity challenge and opportunity of our generation. While quantum computing promises revolutionary advances in drug discovery, optimization, and AI, it simultaneously threatens the cryptographic foundation of our digital world. The demand for quantum-safe solutions will create entirely new career paths and industries. What moves me most is the democratizing potential of this challenge. Whether you're building solutions in Silicon Valley or Lahore, the quantum threat affects us all equally – and so does the opportunity to solve it. Post-quantum cryptography isn't just about surviving disruption; it's about architecting the secure digital infrastructure that will power humanity's next chapter. The countdown has begun. The question isn't whether quantum will break our current security – it's whether we'll be ready when it does.

As I’ve been digging into the #CybersecurityFramework 2.0, and helping clients navigate the changes, I’ve found several areas where the new additions feel pretty significant. If you’re already using the #CSF and trying to figure out where to focus first, take note of these new Categories: ◾ The POLICY (GV.PO) Category was created to encompass ALL cybersecurity policies and guidance. Now, on one hand it might seem like a "well, of course" moment to consolidate all cybersecurity policies into one place - on the other hand, policies were previously sprinkled throughout the CSF, and were tied to specific actions like Asset Management or Incident Response. Now, it's all in one area, which makes a ton of sense and simplifies things, but also means we've got to remember that this one Category covers everything! ◾ Another significant addition is the PLATFORM SECURITY (PR.PS) Category which largely pulls together key topics from the previous Information Protection Processes & Procedures (PR.IP) and Protective Technology (PR.PT) focusing on security protections around broader platform types (hardware, software, virtual, etc.). If you’re looking for things like configuration management, maintenance, and SDLC – you’ll now find them here.  ◾ The TECHNOLOGY INFRASTRUCTURE RESILIENCE (PR.IR) Category pulls largely from the previous Information Protection Processes & Procedures (PR.IP) and Protective Technology (PR.PT) as well, but also pulls in key aspects from Data Security (PR.DS). This new Category highlights the need for managing an organization’s security architecture and includes security protections around networks as well as your environment to ensure resource capacity, resilience, etc. So, what does all this mean for your organization? Whether you're just starting out, or you're looking to refine your existing cybersecurity strategies, CSF 2.0 offers a more streamlined framework to use to bolster your cyber resilience. Remember, staying ahead in cybersecurity is a continuous journey of adaptation and improvement. Embrace these changes as an opportunity to review and enhance your cybersecurity posture, leveraging the expanded resources and guidance provided by #NIST! Have you seen the updated mapping NIST released from v1.1 to v2.0? Check it out here to get started and “directly download all the Informative References for CSF 2.0” 👇 https://lnkd.in/e3F6hn9Y