Russia greatly expands SORM surveillance requirements
This newsletter is brought to you by Truffle Security, the makers of Trufflehog. You can subscribe to an audio version of this newsletter as a podcast by searching for “Risky Business” in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.
The Russian government has greatly expanded the amount of personal and technical data that mobile operators and internet service providers must collect from their customers and share with state authorities.
This data collection is part of a surveillance system used in Russia named SORM, which stands for the System for Operative Investigative Activities. SORM works through special equipment installed at local telcos that collects data on the company’s traffic and uploads it to a government database where the police and intelligence services can query it for their investigations.
Over the years as networking equipment has become more powerful, SORM has been slowly updated with new collection rules that telcos must comply with or face a fine.
The latest update to the SORM collection rules passed last week. The new rules greatly expand the type of information that telcos must get from their customers, link it to real-time traffic, and then upload it to government servers.
For the first time, telcos must now collect extremely sensitive personal identifiable information from each one of their customers. This includes home addresses, passport data, tax IDs, bank account details, and even geo-location coordinates.
This data must be attached to technical identifiers like assigned IP addresses, phone numbers, MAC addresses, and IMEI and IMSI codes. The type of technical data collected has also been expanded with two new data points such as domains accessed by the user and even user logins if they are visible to the telco.
Officials said the new collection is needed because of national security.
Technically, SORM is mandatory but still requires telcos to spend out of their own pockets to buy the equipment and then code and maintain the software that collects and uploads this data to the government.
Over the past years, many ISPs, especially the small provincial and neighborhood ones, have been ignoring the government. They either haven’t deployed the equipment or haven’t configured it to work properly.
Some did it because of financial and technical limitations while others did it as a silent protest against the Kremlin’s growing authoritarianism.
According to Kommersant, a minimum package to deploy SORM used to cost around 5 million rubles (~$70,000) before the new update, and the costs are now about to go through the roof.
The Russian government has been aware of this problem for several years but it doesn’t seem to care anymore that the new rules destroy its smaller ISP market, which is estimated to be around 10,000 companies.
In fact, it wouldn’t mind if the market consolidated so it could be easier to control. The government has been quite aggressive towards ISPs and mobile operators over the past two years.
Its internet watchdog fined last week 85 telcos that failed to provide data on IP addresses assigned to customers under the SORM requirements. The government also passed legislation to revoke licenses for ISPs that fail to follow SORM for up to 10 years, effectively killing their business.
Russia’s expanded SORM surveillance rules carry a steep price: the equipment itself is expensive (millions of rubles at least) — a cost smaller telecom operators can’t absorb. As a result, many turn to “outsorming” (lol), routing their users’ surveillance data through larger operators.
— Kevin Rothrock (@kevinrothrock.me) May 27, 2026 at 10:04 AM
As the Ukrainian war gets worse, the Kremlin is bracing for huge backlash and is looking to squash and preempt any dissent or protests.
The new rules obliterate any internet privacy that was still available to Russian citizens, with the government cracking down on internet freedom and expression as a way to control the narrative around its disastrous war in Ukraine.
The government went so far in a recent anti-VPN crackdown that it managed to crash its financial system for a few hours until government technicians realized VPNs were also used by the banks to hide and secure financial transactions.
People used to make fun of Russians that they were being under surveillance by their government, but that hasn’t been actually accurate at all. The Russian internet has been quite free. Not anymore, though.
Risky Business Podcasts
The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat, Adam, and James at the helm!
Breaches, hacks, and security incidents
California sues 23andMe over breach: California has sued genetic testing company 23andMe for allegedly failing to protect sensitive user data in a 2023 data breach. The breach exposed the personal and genetic information of almost 7 million Americans. The incident was traced back to a credential stuffing attack. California Attorney General Rob Bonta argues the company is at fault because it failed to protect against a common attack type. [California OAG]
Gravity Bridge hacked for $5.4m: Hackers have drained $5.4 million worth of crypto assets from the Gravity Bridge cryptocurrency portal. Attackers exploited a bug in a smart contract that moves assets between the Ethereum and the Cosmos blockchains. The company halted trading over the weekend to investigate the incident. [Gravity Bridge // The Block]
DxSale hacked for $7.3m: Hackers exploited legacy protocols in an old DeFi launchpad service called DxSale to steal $7.3 million worth of crypto from old liquidity pools. [DxSale // TronWeekly]
PostHog security breach: Developer analytics service PostHog went down on Saturday as the company rotated all AWS credentials. PostHog described the outage as a security incident after researchers demonstrated an exploit against its service. The company says no customer data was compromised or put in danger. [PostHog] [h/t Zack Whittaker]
Pay Tel secures leaky server: Prison calling service Pay Tel has secured a publicly exposed cloud server that leaked inmate details. More than 3.4 million scanned images were exposed for at least a week last month. The scanned images contained driver’s licenses, legal, and financial documents. The cause of the leak was the lack of a server password. [UpGuard // TechCrunch]
General tech and privacy
Composer will scan for malicious PHP packages: The Composer PHP package manager will scan all new libraries for malware to avoid future supply chain attacks. Developers will receive alerts when they try to install a package containing malware, known vulnerabilities, or abandoned libraries. The scanning will be done by Aikido Security and will also trigger warnings even if developers locked dependencies. Packagist also intends to enable MFA by default for all Composer packages in the near future. [Packagist blog post #1 // Packagist blog post #2]
DNS-AID: The Linux Foundation launched DNS-AID, a new open-source project to enable AI agents to use the DNS infrastructure to discover and talk to each other. [The Linux Foundation // DNS-AID website // IETF]
Stupid MSFT bug: Windows systems are breaking and failing to connect to a domain controller if the server hostname is 15 characters or longer. [KB5087537]
Zig bans AI-generated code: The Zig programming language has updated its code of conduct to ban LLM-generated code, vulnerability research, text-generation, and about anything AI at all. [Business Insider // Zig code of conduct]
More AI layoffs: Web hosting giant Wix will lay off a fifth of its staff due to the evolution of AI tools. That’s an estimated 1,000 employees. The company is the latest tech giant to fire staff by citing AI and AI-related costs. The list includes Amazon, Block, Cisco, Cloudflare, Meta, Microsoft, Oracle, and Intuit. [CNBC]
The effects of invasive AI: Amnesty International has published a report on the impact of AI technologies that have been trained on privacy-invasive data and unlawful web scraping. tl;dr: it’s bad! [Amnesty International]
Social media moderation is failing: An increasing number of users are complaining to a third-party arbitration body and overturning social media bans and moderation decisions. The Appeals Centre Europe overturned 63% of the 24,000 complaints it received last year. The Centre was established under the EU Digital Services Act and can help arbitrate moderation decisions on Facebook, Instagram, Pinterest, Threads, TikTok, and YouTube. [Appeals Centre Europe]
CNIL had a productive year: France’s privacy watchdog issued and collected fines of almost half a billion euros last year. The agency collected €487 million from 83 fines. Most came from just two fines, against Google (€325m) and Shein (€150m), which accounted for 97% of the collected funds. [CNIL]
NIST looking for new PQC algo: The US National Institute of Standards and Technology is looking for a new cryptographic algorithm that can resist quantum computing attacks. The organization has already selected three PQC algorithms last year. The new selection will serve as an alternative in case the first ones get cracked or organizations need a more performant algorithm. Nine candidates have been put forward—SQIsign, HAWK, MQOM, SDitH, MAYO, QR-UOV, SNOVA, UOV, and FAEST. [US NIST // PostQuantum] [h/t Ivan Ristić]
PQC comes to Chrome 150: Chrome v150, expected to be released in late June, will ship support for ML-DSA, a crypto algorithm designed to stop post-quantum encryption attacks. The same PQC algorithm is also used as post-quantum protection in Linux and Windows. [Chrome Status]
Last.fm is now independent: Last.fm developers have taken over the company from Paramount and the service is independent again. [Last.fm]
Wikipedia is union-busting: Over the past month, the Wikimedia Foundation has been firing employees who were behind an effort to unionize. [Jake Orlowitz]
I have donated to Wikipedia. I will do so no longer, unless they actually fix this.
medium.com/@jakeorlowit…
— Martin Paul Eve (@eve.gd) May 28, 2026 at 12:36 AM
Government, politics, and policy
ENSOC launches: Cybersecurity agencies from eight EU countries have launched a shared security operations center. The ENSOC project will aggregate data and expertise from Austria, Italy, Luxembourg, the Netherlands, Portugal, Romania, Slovenia, and Spain. The project’s main purpose is to share cyber threat intelligence and help coordinate incident response to minimize impact. The project was announced in December and launched its website last month. [ENSOC website // LinkedIn post]
EU squeezes out US space tech: The European Union has allocated around three-quarters of the EU’s spectrum band to European satellite companies, leaving only breadcrumbs to US, China, and everyone else. [Politico Europe]
China to issue IDs to humanoid robots: The Chinese government will assign unique digital IDs to humanoid-shaped robots. The IDs will be assigned through a new website named the Humanoid Full Lifecycle Management Service Platform. The IDs will be used to track robots from production to sale and recycling. [SCMP]
More US Cyber Force movement: US lawmakers are pushing an amendment to next year’s National Defense Authorization Act to formally establish a US cyber military branch. The new US Cyber Force would be established as a new branch of the US Army. The Pentagon and US lawmakers have been exploring the idea of a dedicated cyber branch for the past three years. [DefenseOne]
US Tech Force fails to hire staff: The US Tech Force has onboarded only 10 employees since its launch last year. Another 200 employees were hired but have yet to start work. The agency was set up in December and tasked with recruiting up to 1,000 workers from US tech giants to modernize US government networks. [NextGov]
HIPAA update: The US HIPAA regulation received an update to its security rules this year. [Medcurity]
Japan to establish a national intelligence agency: Japanese lawmakers have passed a law to establish a national intelligence agency. While several intelligence bureaus exist under several ministries, Japan has operated without a central intelligence agency since 1952. The new agency is expected to start operating in the coming months. It will be tasked with fighting foreign espionage, state-sponsored cyber warfare, and AI-driven disinformation campaigns. [NHK]
In this Risky Business sponsor interview, Casey Ellis chats with Truffle Security’s founder and CEO Dylan Ayrey about the recent CISA secrets leak.
Days after Brian Krebs ran the story, plenty of the exposed credentials were still live, including an admin-level GitHub app key with full rights over CISA’s org.
Dylan walks through why deleting the repo doesn’t fix anything, why most cloud vendors won’t hard-revoke exposed keys (OpenAI and Slack will; AWS, Google and friends mostly won’t), why Hugging Face datasets now hold more secrets than GitHub itself, and what the next generation of multi-provider credential-harvesting supply chain worms is going to look like.
Arrests, cybercrime, and threat intel
764 member charged: A Tennessee man was charged last week with multiple counts of child sexual exploitation. Zachary Sweeney, 30, was a member of an underground online community known as 764. Since 2022, Sweeney groomed and coerced young children into recording sexually explicit acts. In some cases, he even traveled to meet with victims, which he later drugged, recorded, and sexually assaulted. Members of the 764 group split from another online violent community known as The Comm, known for producing a large number of hackers. [DOJ]
Russia publishes DDoS mitigation guide: Russia’s FSTEC military technical agency has published a guide to help local companies mitigate DDoS attacks. [FSTEC]
Nothing earth-shattering, though. Standard stuff – asset inventory, monitoring, segmentation, rate-limiting, load balancing, etc. Probably used ChatGPT to help them write it, LOL.
— VessOnSecurity (@vessonsecurity.bsky.social) May 31, 2026 at 9:48 PM
DriveSurge profile: A new threat actor tracked as DriveSurge is using thousands of hacked websites to redirect users to ClickFix and FakeUpdates lures and infect them with malware. The group stands out for using an open-source traffic distribution system named zTDS to manage the hijacked traffic. [SilentPush]
Infrastructure Destruction Squad profile: A threat actor that appeared last year is posing as a hacktivist collective but is heavily involved in developing and selling malware. The Infrastructure Destruction Squad has so far developed the BLACKNET-00 and EXTERMINATOR ransomware strains and several network scanners. According to security firm KELA, the group has pledged support for opposing camps and appears to be exploiting the current hacktivist trend for monetary gain. [KELA]
Scrapers as an attack tool: A threat actor is using web scraping technology as an attack tool to generate huge financial costs for targeted entities. This technique was used in a recent attack against an investigative reporting website for the Arab world. Security researchers who investigate the attack say the mysterious scraping now accounts for a quarter of the traffic for the Arab Reporters for Investigative Journalism (ARIJ) news portal. [Qurium]
Supply chain attack reports: Aikido Security, Microsoft, Microsoft, SafeDep, Socket Security.
New ChatGPT abuse: Threat actors are abusing ChatGPT content-sharing feature to render outage pages and send users to download malware-laced apps. The technique is a new variation of a type of abuse first seen last year against OpenAI. The new trick is that instead of static text with malicious instructions, the attackers are abusing ChatGPT’s code generation capabilities to render a full and realistic web page. These fake pages are then promoted via SEO poisoning to draw in users. [Push Security]
Malware technical reports
EvilTokens: Netcraft looks at how the new EvilTokens phishing kit exploits the device code mechanism to steal OAuth tokens. [Netcraft]
MicrosoftSystem64 RAT: DevSecOps company SafeDep looks at MicrosoftSystem64, a RAT used as a final payload with some malicious npm packages. [SafeDep]
New WordPress malware: GoDaddy’s security team has found a new WordPress malware strain that uses Steam profile comments as a dead drop C2 channel. [GoDaddy]
“The campaign was first detected by GoDaddy Security in July 2025, and researchers have detected the malware on approximately 1,980 WordPress sites.”
In this edition of the Snake Oilers podcast, Truffle Security founder Dylan Ayrey joins Risky Business to talk through the latest bells and whistles in Trufflehog, a security tool that searches for exposed secrets and validates them. The Truffle team has done a lot of work on the remediation part of their product over the last few years, and Dylan tells us all about it!
APTs, cyber-espionage, and info-ops
Sapphire Sleet: North Korean state-sponsored group Sapphire Sleet (BlueNoroff/UNC1069) is behind a social engineering campaign targeting macOS environments. [LevelBlue]
Operation Dragon Weave: A suspected Chinese APT is behind a spear-phishing campaign targeting officials and regular citizens in Taiwan and Czechia. [Seqrite]
Operation XENOFISCAL: Suspected Pakistani APT group SideCopy is targeting Afghanistan just as the diplomatic relations between the two countries are breaking down. [Seqrite]
CN and RU dominate APT activity: Even if the war in Iran caused Iranian APT activity to spike, Chinese and Russian groups still accounted for most espionage operations over the past two quarters, Q4 2025 and Q1 2026. [ESET]
Vulnerabilities, security research, and bug bounty
Security updates: Canon, Cargo, Chrome, Notepad++, Oracle, QuickCMS, Veeam.
Mullvad patches fingerprinting vector: VPN provider Mullvad is rolling out mitigation to prevent threat actors from tracking when users are changing the exit IP address of their VPN server. Going forward, the Mullvad network will not share any information about a user’s past VPN exit points. Only a small number of VPN providers let users change their server’s exit IP address. The issue has an oversized impact on Mullvad because the company only runs 578 servers, making tracking users between them trivial. [Mullvad // tmctmt]
Oracle releases first monthly updates: Oracle has released the first monthly security updates for its software products after recently switching from a quarterly to a monthly update scheme. [Oracle]
PAN bug exploited in the wild: Hackers are exploiting a recently patched vulnerability in Palo Alto Networks GlobalProtect firewalls. The vulnerability was patched last month and allows attackers to bypass authentication on the device. A specific configuration needs to be present on the device. The attacks were detected by security firm Rapid7. [CVE-2026-0257 // Rapid7]
Flowise PoC: Obsidian Security has published proof-of-concept exploit code for a recently patched one-click RCE in Flowise AI servers. [Obsidian Security]
“An attacker can fully compromise a server by convincing an authorized user to import a crafted chatflow. Import alone is enough to trigger arbitrary server-side code execution.”
More Nightmare Eclipse bugs coming: The security researcher who goes by Nightmare Eclipse has announced more Microsoft bugs, with the next one being a BitLocker one. After their recent public spat with Microsoft and the company’s veiled threats, the researcher is now receiving bugs from others to share online. This one was given to them by another researcher named JonasLyk, and many other security researchers are now going public with tales of how their bugs got ignored or downplayed by Microsoft’s security team, but secretly patched behind their back without a bounty being paid or even credit given. [Nightmare Eclipse]
I will now be giving away @Microsoft 0days.
No point in ethical release if the company is not acting in good faith.
— Stay Classy (@Knubbeh) May 29, 2026
ChatGPhish: Permiso researchers have disclosed ChatGPhish, a new technique to present phishing pages to Firefox users with the help of ChatGPT. [Permiso]
“ChatGPT’s response renderer blindly trusts Markdown links and images pulled from any third-party page the assistant summarizes. When a user asks ChatGPT to summarize or analyze a web page, attacker-controlled Markdown gets injected directly into the ChatGPT response as if ChatGPT itself generated it. There is no visual indicator that some of the content originated from a third party. Everything renders inside the same trusted interface. The core issue: ChatGPT does not distinguish between its own generated content and attacker-controlled Markdown pulled from external sources. Any page the victim summarizes can become the payload.”
Canon fixes printer export bug: Canon has released firmware updates for more than 200 enterprise printer models to fix a major security issue. The bug could have allowed attackers to steal credentials for the local domain from the printer’s export configuration feature. According to security firm Praetorian, attackers could use special HTTP requests to trick the printer to skip encryption and dump the credentials in plaintext. [Praetorian // Canon, April 23 2026 security advisory]
CIFSwitch LPE: There’s another branded Linux local privilege escalation bug, this one named CIFSwitch. Just like all the others disclosed last month, this was also found with AI, but it’s not universal as it only affects a handful of distros and under certain conditions. Unlike all the other Linux LPEs, this one received a patch ahead of release. [Asim Viladi Oglu Manizada]
Infosec industry
Threat/trend reports: CNIL, ESET, Grundfos, and Red Sift have recently published reports and summaries covering various threats and infosec industry trends.
New tool—Prempti: Cloud security firm Falco has released Prempti, a policy and visibility layer for AI coding agents.
New tool—LLMReaper: Security researcher Lohitya Pushkar has published LLMReaper, a Chrome extension that can silently steal AI agent conversations without any special permissions, network interception, or privilege escalation.
New tool—Atomdrift: A new open-source project named Atomdrift launched in March to help companies detect software supply chain attacks against binaries, scripts, packages, and extensions.
New tool—NSA ZIG: The NSA has launched a special page with all their zero trust implementation guidelines. [NSA ZIG]
RWC 2026 videos: Talks from the Real World Crypto 2026 security conference, which took place in March, are available on YouTube.
OSCW 2026 videos: Talks from the Open Source Cryptography Workshop, which took place at the Real World Crypto 2026 conference in March, are available on the workshop’s site.
SISAP 2026 videos: Talks from the SISAP 2026 security conference, which took place in January, are available on YouTube.
SANS AI Cybersecurity Summit 2026 videos: Talks from the SANS AI Cybersecurity Summit 2026, which took place in April, are available on YouTube.
Risky Business podcasts
In this episode of Risky Business Features, Theori’s Brian Pak and Andrew Wesie join James Wilson to discuss why the CopyFail exploit was publicly disclosed before Linux distributions had their patches ready.