Seriously Risky Business Newsletter
August 21, 2025
When the Chips Were Down, Russian Cyber Security Picked a Side
Written by
Policy & Intelligence
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Kroll .
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .
A new report has taken a look at how the relationships between Russian cyber security firms and their government have changed since the country's 2022 invasion of Ukraine.
The analysis by the CNA think tank shows that when it comes to cyber security and great power competition, it pays in record-making margins for companies to choose sides.
The report thoroughly explores three Russian firms that offer different cyber security services: Kaspersky, Security Code and Positive Technologies. All three had ties to the Russian state predating the war. Unsurprisingly, these ties have strengthened.
Kaspersky is an antivirus firm, well-known for being evicted from the US market in 2024, in the wake of long-standing concerns that it was operating on behalf of Russian security and intelligence services.
Security Code provides security services to the Russian government. The report says its "defensive work spans network security technologies, cryptography, and educational and training programs for public and private Russian universities, including those with military ties".
Positive Technologies, meanwhile, sells a range of cyber security services internationally, and also provides direct support to Russian intelligence units and hosts conventions that are used as FSB and GRU recruiting events.
Positive Technologies was sanctioned by the US prior to the invasion. Kaspersky's leadership and Code Security were sanctioned in 2024.
The report provides good potted summaries of some of these firms' involvement with the Russian state.
For example, the report quoted an MIT Technology Review article that detailed how Positive Technologies' not only discovered and publicized flaws in the Signalling System 7 (SS7) telecommunications protocol, "but also developed offensive hacking capabilities to exploit security holes that were then used by Russian intelligence in cyber campaigns".
While it would be natural to assume isolation from the US would hurt business, the most interesting takeaway from the report is that each firm booked record profits in 2024. Being closely connected to Russia has actually paid off.
Each company has succeeded despite the war's headwinds. Security Code has been successful selling defensive products as Russian organisations are being attacked.
Although it has been isolated from US markets, Positive Technologies has promoted itself elsewhere, "as a tool for diversifying an organisation's geopolitical risk when it comes to cybersecurity services". It doesn’t suggest companies forgo US, Chinese or Israeli service providers, but instead "it makes the case for adding a Russian vendor".
Kaspersky is a unique case. It has thrived, despite being accused of not just working with the Russian government, but as acting as a tool for the Kremlin. A series of articles in 2017 claimed that Kaspersky’s antivirus product was used to collect material on American cyber programs for Russian intelligence agencies.
It has addressed these claims by opening "transparency centres" in Switzerland, Brazil and Colombia. These centres process data from Latin America and the Middle East, notionally providing protection from Russian government access.
Additionally being banned by the US comes with some upsides. As the report notes:
Some may be choosing Kaspersky for its expertise and access to threat intelligence; others may be doing so because they distrust American technology firms. Edward Snowden's leaks of classified government intelligence collection programs in 2013 and countless subsequent data privacy abuses by Silicon Valley giants have created a perception that Russian firms offer an alternative, less Washington-dominated set of solutions. Countries that have historically experienced US political interference or whose leaders are supporters of Putin may be especially inclined to work with Russia.
In other words, a bit of "an enemy of our enemy is our friend" dynamic going on.
These case studies of Russian firms are interesting because they document behaviour of cyber security firms when the state is under pressure, in this case a real-world conflict.
The report is at pains to note that "a private sector cyber firm contracting for a government is neither unique to Russia nor inherently offensive" and that "many states engage in such practices and rely on private sector cyber proxies to perform core functions and expand their talent base".
In our view, the real message of the report is that all cyber security companies are inherently patriotic, and when the pressure is on will support their nation's interests.
In a world of great power competition, the idea of a truly global cybersecurity firm is dead.
Russia Is Shooting the Messengers
Russia is systematically forcing its citizens off foreign messenger apps and encouraging them to adopt MAX, a relatively new messenger service built by VK, a Russian state-controlled internet company .
MAX includes features such as voice and video calls, file transfers and payments.
Rather than relying on MAX to grow organically, the Russian government approach involves a pretty big stick coupled with a very small carrot.
This week, the Russian government announced that it was restricting calls on Telegram and WhatsApp, in what it claimed was a move to protect citizens from fraud. In a statement, the telecoms watchdog Roskomnadzor cited "numerous reports from citizens" as well as law enforcement agencies saying foreign-owned Telegram and WhatsApp "have become the main voice services used for deceit and extortion and involvement of Russian citizens in sabotage and terrorist activities".
Sources close to the administration told the Russian journalists-in-exile news outlet Verstka that restricting calls was a "compromise solution" but the government had not abandoned the idea of completely blocking the messengers.
"We are testing the public's reaction", a source told Verstka .
Users across Russia reported problems making voice and video calls on the apps in the days preceding Roskomnadzor's announcement and disruption has had a real impact on people's lives.
On the carrot side of the equation, government officials have been ordered to migrate from Telegram to MAX so that the app becomes a "priority information system" for government communications. It will also be preinstalled on new smartphones sold in Russia from September.
In effect, Russia is deliberately imposing China's model of control on its domestic internet. From a Russian government perspective, MAX will be a one-stop shop for information control and surveillance. What's not to like?
We are sure the government's plan to evict foreign messengers from its domestic market will be successful. It has a vision of what it wants and has the political will to drive change, regardless of the disruption it will cause.
America's Very Confusing Apple Encryption Backdown Claim
Meanwhile, Western governments continue to argue about the trade-offs between privacy and intrusive state powers.
This week US Director of National Intelligence Tulsi Gabbard said on X that the UK government "has agreed to drop its mandate for Apple to provide a 'back door' that would have enabled access to the protected encrypted data of American citizens and encroached on our civil liberties".
Gabbard's post refers to a secret UK government order issued in January that would require Apple to provide it with the capability to access encrypted iCloud data. The Washington Post revealed the existence of the order and described it as a demand for a "back door allowing them [UK security officials] to retrieve all the content any Apple user worldwide has uploaded to the cloud".
The order was intended to preserve lawful access to data stored in Apple's iCloud, despite the increasing rollout of Advanced Data Protection . That service locks Apple and law enforcement out of a user's iCloud storage by encrypting it with keys that only that user can access. In response to the UK order, Apple turned off Advanced Data Protection for its UK users and also contested the order in court.
The order kicked off an entirely unnecessary bunfight with US officials. At the time DNI Gabbard said she had "grave concerns" about it. In an interview with The Spectator President Trump described the order as "something you hear about with China".
Still, it's not clear that the UK has lost entirely. The Financial Times reports :
Three British officials said the clash with the Trump administration was now resolved, after government representatives met senior US figures including Vance in recent weeks.
One said the issue was "settled", while another described the UK as having "caved" to US pressure. Another UK government official said "we can't and we won't" make Apple break its encryption.
Taken together with DNI Gabbard's tightly scoped X post, which referred specifically to "American citizens" and "our civil liberties", these statements are consistent with what we'd describe as the new status quo. That is, Advanced Data Protection isn't available to UK citizens, but anyone else can freely use the service.
That would provide British officials with access to iCloud data without infringing on American's ability to use the service. (We'd note, however, that there are already agreements and practices in place that would already have prevented the UK accessing US citizen's data).
Reporting has so far described the situation as a backdown by the UK government, but we are open to the idea that a compromise position was reached. Ultimately, for the UK, access to encrypted iCloud data is a nice-to-have, but maintaining a good relationship with the US is a must have. Giving the Americans at least the optics of a win here was the smart thing to do.
It's funny, though, that we still don't actually know what happened here.
Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- Preventing domain resurrection attacks: The Python Package Index PyPI has announced it now checks for expired domains to prevent what it calls domain resurrection attacks. In these attacks, someone buys an expired domain, sets up an email server and then uses password resets to take over accounts associated with that domain. Email accounts associated with expired domains will become unverified and PyPI won't issue password resets to them.
- Media strikes back against hackers: Independent media outlet Iran International has identified one of the key figures behind the group that hacked its journalists last year. The outlet reports the hackers are connected to Iran's Ministry of Intelligence.
- US seizes Zeppelin ransomware proceeds: The US Department of Justice announced that it had seized USD$2.8 million in cryptocurrency, USD$70,000 in cash and a luxury vehicle that were allegedly the proceeds of ransomware. The DoJ also unsealed an indictment charging Ianis Aleksandrovich Antropenko for using the Zeppelin ransomware, but so far there is no word on arrests.
Sponsor Section
In this Risky Business sponsor interview, Ed Currie from Kroll Cyber talks to Tom Uren about the recent hack of the Gravy Analytics geolocation data provider. He explains the hack and how geolocation data can be used by malicious actors.
Shorts
Ramp and Dump
This Krebs on Security piece examines a new way to convert effective phishing into money. In "ramp and dump" schemes, compromised brokerage accounts are used to manipulate the price of stocks that fraudsters have already purchased a stake in.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about whether the cyber industry and intelligence agencies focus too much on technical details and ignore the bigger picture.
Or watch it on YouTube!
From Risky Bulletin :
NIST releases face-morphing detection guidelines: The US National Institute of Standards and Technology released guidance this week to help companies detect face morphing incidents.
The technique involves blending photos of two or more real people to generate a new face that can be used to bypass facial recognition scans.
The new photo can be used to trick face recognition systems into identifying the morphed, combined face as both original individuals at the same time.
This can be abused to allow rogue individuals to access online accounts or sensitive areas of a facility they do not have authorization to access.
[ more on Risky Bulletin ]
MadeYouReset vulnerability enables unlimited HTTP/2 DDoS attacks: A new vulnerability in the HTTP/2 protocol can allow threat actors to launch nearly unlimited DDoS attacks to exhaust memory and crash servers.
The new attack is named MadeYouReset, was discovered by researchers at Deepness Lab, and is a variation of a previous attack known as HTTP/2 Rapid Reset.
The Rapid Reset attack was discovered in October 2023 after it was used to launch some of the largest DDoS attacks seen that year ( Google , Amazon , and Cloudflare ).
[ more on Risky Bulletin ]
Crypto-thieves turn their sights to Open VSX: Crypto-thieves have found a new package repository to terrorize, and it's Open VSX , an independent database of Visual Studio Code extensions managed by the Eclipse Foundation.
SecureAnnex founder John Tuckner has been tracking a campaign targeting Open VSX users for over a month.
The attackers upload malicious VS Code extensions on the portal that use hidden PowerShell scripts to install a hidden ScreenConnect client, a type of software used for remote management and monitoring.
Tuckner spotted the first signs of this campaign back in July, and Kaspersky also investigated an incident related to this campaign a week later.
[ more on Risky Bulletin ]