Raccoon

 

Image from Unsplash

Talking about “Laundry Bear” may make you think I’m trying to invent a new English word — perhaps a literal translation of the Dutch wasbeer, the animal we call a raccoon. Sadly, “bear that does laundry” is not an official species. And we’re not in the zoological domain anyway. We’re in the world of organized hacking groups.

This Laundry Bear is ‘highly likely’ a ‘Russian state‑sponsored cyber actor’, according to the intelligence services in a publication from May 2025. In plain English: a group that conducts cyberattacks with the blessing — and probably the funding — of the Russian government. You can find such groups in various countries, and once they are identified, they get a label. That does not follow a universally agreed naming convention, but a common practice is that everything (presumably) from Russia is a bear, China has the panda, Iran the kitten, and North Korea the chollima (a mythical horse from Korean folklore). And those are exactly the countries that keep reappearing when we talk about state hackers. Which, in turn, does not mean that other countries keep their hands neatly to themselves.

In this particular animal kingdom we find the Fancy Bear, the Wicked Panda, the Charming Kitten and the Stardust Chollima, to name just a few. Each of them is a group that organizations may encounter if they have something that could be of interest to the sponsors behind the groups. Often that is information, but it may also be about money; North Korea in particular targets Western currencies and nowadays especially cryptocurrency.

Laundry Bear collects information from government organizations and companies worldwide, with special interest in the EU and NATO. They break into cloud‑based mail environments. Besides the emails themselves, they are also interested in the internal address book. They focus on everything related to the war in Ukraine. In addition, they find companies interesting that produce high‑end technology that Russia can no longer buy due to sanctions.

It is very difficult to attribute a particular activity to the correct actor. These actors are masters at laying false trails. But sometimes it is possible to establish this so‑called attribution (although you will usually still see the word ‘likely’ somewhere). The Dutch intelligence services attribute the 2024 attack on the Dutch police, in which contact details of all police employees were stolen, to Laundry Bear. They suspect that other Dutch organizations have also fallen victim to this actor. Until the police hack investigation, Laundry Bear had not been known yet. The services recognized that they were dealing with a new group.

All this substantive information was shared publicly last year in a Cybersecurity Advisory. In that advisory, they also list which ‘resilience‑enhancing measures’ organizations can take. These are fairly obvious measures. You must give people and computers the minimal privileges they need to perform their tasks. If such an account is hacked, the attacker’s options are limited to those privileges. Accounts with high privileges must be issued in a controlled way and used only when those privileges are actually required; administrators should therefore not work under their admin accounts by default. Outdated accounts must be cleaned up. And you must encrypt your network traffic. The list is much longer, but this gives you an idea.

As obvious as these measures are, some organizations still struggle to implement them. They cost time and money, and the knowledge, skills and willingness to take these necessary measures are not present everywhere. It works no differently than at home. You know your house needs painting, but you don’t get around to it or the painter is too expensive. It is also a matter of setting priorities.

Intelligence services are usually not so generous in making their information public. So why this public advisory? Because they know a lot, but not nearly everything about Laundry Bear. It is important for the country as a whole that organizations are resilient against such groups. But to be resilient, they first need to be aware of the threat. Moreover, the publication raises awareness that such groups exist in the first place. Most of the measures mentioned also help in the fight against Laundry Bear’s colleagues. Let’s hope the advisory reached its intended audience.

And in the big bad world…

• Some actors go much further than merely collecting information.
• Russians are also occasionally hit by a cyberattack.
• This article explains well what digital sovereignty means for you as a citizen.
• The foreign press reports on a current Dutch sovereignty issue.
• France is also working on its digital sovereignty.
• Even security chiefs sometimes get it wrong.
• WhatsApp is getting a lockdown mode.
• AI agents built into operating systems undermine the principles of end‑to‑end security.
• There are some misconceptions about data protection.
• This article is supposedly about leaky AI toys, but it is in fact an Internet‑of‑Things failure.
• Life in an Asian scam compound is harsh.

 

Going up

Image from Unsplash

In 1981, we went on holiday to the Costa del Sol. We rented a distant cousin’s apartment for a friendly price, in a building right on the beach of Torre del Mar. That building had an elevator, and that elevator is what I want to talk about. Because it was quite special.

It had no memory. If you wanted to ride it, you pressed a button like with any elevator. But if the elevator was already on its way to another floor, it simply ignored you. You had to press the button again once the ride was finished, and then hope that no one else beat you to it. It could take quite a while before you managed to catch the elevator. And I don’t remember exactly, but I think the buttons inside the elevator had priority over the ones on the floors. Otherwise you might never reach your destination.

So this was an elevator for which it actually made sense to keep pressing the button. But with all modern elevators, ladies and gentlemen, that is completely pointless. Your request is registered, and sooner or later an elevator will come. Repeated pressing only leads to wear on the button. And, perhaps needless to say: only press the button for the direction you want to go, so press the down arrow if you want to go down. If you press the other arrow as well, there’s a good chance you’ll be taken in the wrong direction – to your own annoyance.

Waiting is rarely enjoyable, so we try to shorten waiting times. Sometimes we do things we know won’t help. The same is true when you’re sitting impatiently behind your computer. It doesn’t respond quickly enough, so you try again. That doesn’t help. In fact, it works against you: the computer has to spend attention on your repeated actions, and that costs capacity (though nowadays you barely notice it; in the past, that was quite different).

The power of advertising lies in repetition, according to an old marketing maxim. That’s why you see and hear some ads over and over until they become annoying. But in my field, they’re also quite good at it. At conferences and conventions, we’ve been told for years that we all need to collaborate to create a safer world. Occasionally you’ll see a good example of such cooperation at an event, but in my view, it often remains empty rhetoric. But yes, no one can oppose defeating the common enemy together, so the theme is pulled out of the closet year after year. As far as I’m concerned, a conference only needs a name; a theme is optional. But it doesn’t really matter – as long as the content is good, and fortunately that is often the case.

This week, I attended yet another together-we-can-do-it conference. And once again, the theme fortunately didn’t get in the way of the content. The head of the Dutch Military Intelligence and Security Service came to tell us that we cannot trust the Russians, and the CISO of Hema showed an AI-generated picture of chains of smoked sausages hanging in the store*, to illustrate the weakest-link mantra; I’ve forgotten most of the content of her talk, but what made an impression on the audience was that in her previous role – because of that role – she had been threatened both physically and digitally. That’s something you don’t even want to imagine.

The best talk came from my cyber hero Mikko Hyppönen from Finland. After a career spanning decades in cybersecurity – he started out as a virus analyst – he recently and to his own surprise made a switch to the defense industry. He no longer analyzes computer viruses but military drones. The war in Ukraine – ‘in the heart of Europe,’ as Mikko put it – pushed him in that direction. Because these drones cause so many casualties, he has made it his mission to help bring these weapons down. And just like with malware, this is a cat-and-mouse game. Classic drones can be tackled via the radio signals used to control them. Five percent of the drones now seen on the battlefield trail a fiber-optic cable of up to twenty kilometers (twelve miles) behind them, meaning no radio signals are needed. And more modern drones aren’t controlled by humans at all anymore, but by AI. And how do you fight that? Exactly: with AI-driven drones.

There are elevators where you don’t press an arrow, but instead enter the floor you want to go to. The computer then calculates which passengers can best be grouped together and assigns everyone an elevator. Then no one ever has to doubt whether the elevator knows they want to ride along.

*: Hema is a Dutch department store. They’re famous for their smoked sausages.

And in the big bad world…

• This list shows Dutch organizations that are completely dependent on American cloud providers. [DUTCH]
• There was another outage at one of those cloud providers.
• The British are suffering from Russian hacktivists.
• CEOs and CISOs disagree on the top three threats.
• This new IoT botnet often appears in corporate and government networks.
• The European Space Agency is struggling with cybersecurity.
• You can now see whether a doorbell video has been tampered with.
• Teams will soon warn users about impersonators.
• AI is clicking on malicious advertisements.
• LastPass users need to watch out for phishing.
• We’ll just keep using the red pencil to vote. (In the Netherlands, voters mark their choice on a paper ballot by coloring a single oval next to a candidate’s name using the traditional red pencil.)

 

Sigh

Image from Unsplash

Pssst… Can you keep a secret? I hand you a sealed envelope with a name on it. The secret is inside. You are not allowed to look into the envelope yourself. When the person whose name is on it shows up, you give them the envelope. They look inside, seal it again, and hand it back to you. You keep it until next time. And you do absolutely nothing else with it.

This is roughly how things work when two computer systems communicate in many cases. For example because one system runs a program that needs data stored on another system. System A must then log in to system B, because of course not everyone is allowed to retrieve those data – another computer system included. In the first paragraph, you stored an envelope; system A has a digital equivalent: a digital vault. It stores the password in encrypted form. When A needs to retrieve data from B, it takes the password from the vault, decrypts it, and uses it to log in to B.

The key idea is that no human is involved. And that no human ever sees the password. Which means nobody can misuse A’s account. Just like you didn’t peek into the envelope, no one ever sees the decrypted password. At least, that’s the idea. Some time ago a colleague sent me an email with the subject line: SIGH… He had discovered that someone secretly looked inside the envelope – or its digital equivalent: manually decrypted the password. And then tried to manually log in with that account ‘just to see if it works’. While such an account is really a machine-to-machine account: meaning it is intended for one machine (A) to log in to another (B).

That sigh on the subject line meant something like: do they still not get it? Mind you, we are talking about administrators and developers doing this. You would expect them to understand how it works. That opening an envelope addressed to someone else is simply not allowed. And that manually logging in with a machine account is also not allowed. The sigh was also because this was certainly not an isolated incident. It happens far too often. And that undermines our security. You might ask why this is even possible. But that’s not the point here. Of course, it shouldn’t be possible, but right now it simply is.

If you see a bench in the park with a sign saying WET PAINT, do you touch it to check if it really is? Why would you? You risk getting paint on your fingers and the bench won’t look any better. Most people understand that you're not supposed to touch it. The same goes for those encrypted passwords. That something is possible does not mean it is allowed to do, or wise.

Deep down you know that. But just to be safe, another call to everyone who sometimes takes things a bit too lightly: don’t do it. If only because my sighing colleague is getting grey hairs from it, and because I end up writing in astonishment about something I thought you would understand by now. And of course I’m grateful for all those colleagues who simply do things right <3

*: There are alternatives, but I leave those aside here.

And in the big bad world…

• Cybersecurity vacancies are shifting from technology to governance.
• The United States is seeking new allies.
• Researchers discovered a highly advanced malware framework for Linux.
• Even earbuds and speakers sometimes need an update.
• Police and prosecutors in the Netherlands want more funding for IT.
• Privacy‑friendly AI also exists.
• ENISA had a document drafted by AI—and it didn’t go well. [GERMAN]

 

Boom

Image from Unsplash

Surely no one thought: come on, it’s the last time it’s allowed, let’s do something extra dangerous with fireworks. This blog is not the place for a debate for or against fireworks, but from my perspective there are a few interesting observations to be made. So here we go, blasting our way into the new year once again!

Even though it will not have been intentional, this time it was worse. Let’s start with some figures. There were 1,239 fireworks-related injuries in the Netherlands – no less than 7% more than during the previous New Year’s Eve. More than half of the victims were under the age of twenty. Many children were seriously injured when they tried to relight unexploded fireworks. About half of all victims did not even set off the fireworks themselves; they were merely bystanders. Emergency departments were 29% busier, treating 474 people. GP out-of-hours services were slightly quieter; with 765 patients, they saw 4% fewer cases than last year. One third of the injuries involved eye damage. Fourteen children lost a hand or finger(s), almost all due to illegal fireworks, which accounted for just under half of all injuries. And then there were those two fatalities, too.

All this suffering could, of course, have been easily prevented. All it would have taken is a low risk appetite. That term is very common in my profession, but not so much in daily life. Why is that? Because in a business environment you can usually reason quite rationally about the risks you are prepared to accept, whereas people who set off fireworks do not. They do not think in terms of degrees of risk; caught up in their enthusiasm, they think only about the intended effect. A child certainly does not think: oof, this is a Cobra with a short fuse, what is the likelihood I’ll lose a hand if I light it? Adults do not think in percentages either. At best, they judge it to be too dangerous and refrain from doing it. And if they do light the fireworks, they are implicitly convinced that all will go well. In that way, it is reduced to a binary decision, whereas in reality setting off fireworks still involves a very significant risk.

And what about public information campaigns? In the past, we had a slogan which translates into You’re a fool if you fool around with fireworks. It was witty (even more in Dutch) and it carried a message. Nowadays the message has to be more forceful, and we see mutilated hands on television. But if there are so many young victims, you would also expect information campaigns specifically aimed at this target group. Were there any? Yes, partially. Primary schools could order a free lesson package. That required them to take action themselves, and only about a quarter of all primary schools did so. You might also expect campaigners to use the media where young people actually are, such as TikTok and Instagram. However, there were no specific actions on those platforms. Municipalities and police forces were active there, but honestly — which teenager follows those kinds of accounts?

In my own profession, awareness is difficult as well. After all, you are conveying a message people would rather not hear. Just look at it: fireworks are beautiful and links are there to be clicked. And then along you come, telling them to be careful. Come on, it can’t be that bad, everyone does it.

With cybersecurity, things are slowly moving in the right direction. People understand that they have to be careful; they realise that criminals are lurking, ready to cause digital harm. Hmm, could the difference with fireworks safety have something to do with that? With the presence of a malicious actor? That element is missing when it comes to fireworks. That risk has just two components: the fireworks and the lighting. There is no other party, no enemy. Yes, that almost certainly has to play a role.

From the next New Year’s Eve onwards, a nationwide fireworks ban will apply in the Netherlands. I have serious doubts about whether it will work, because enforcing the ban will be difficult. Border checks in December will not stop the true fanatic, who has already stocked up much earlier. Responding whenever a bang or rocket is detected will rarely work either – how do you determine the exact location? No, if we truly want to reduce the number of victims, we will have to make sure (if necessary via TikTok!) that people – especially children – start to understand that risk management also plays an important role in our daily lives. From that perspective, the message becomes: hands off fireworks — or hands lost because of fireworks.

 

And in the big bad world…

• non-human colleagues need our attention as well.
• HTML-defined QR codes are misleading malware scanners.
• distrust of Chinese AI is growing.
• we are losing our online privacy.
• keeping AI chatbots secure is not easy.
• of course, you can also hack a wheelchair.
• the Dutch NCSC is now also serving SMEs. [DUTCH]