Europe’s Cyber Bullets Can’t Replace Political Will

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week’s edition is sponsored by runZero.

You can hear a podcast discussion of this newsletter by searching for “Risky Business News” in your podcatcher or subscribing via this RSS feed.

A groundswell of officials are calling for European countries to build cyber capabilities to  strike back against adversaries. It’s a fine sentiment, but if Europe had the cojones to strike back it could have done so already with the options it currently has. 

Last week, speaking on the sidelines of the Munich Security Conference, the European Commission’s Executive Vice President for Tech Sovereignty, Security and Democracy, Henna Virkkunen, told Politico that “it’s not enough that we are just defending … We also have to have offensive capacity”. 

At the same conference, other European officials, including intelligence chiefs expressed similar sentiments. NATO Deputy Secretary General Radmila Shekerinska said that collectively, the alliance’s objective should be, “to take action and to be able to strike back” against cyber threats. Shekerinska called out Russia and China as significant threats. 

This call for action is primarily being driven by Russian aggression against Europe. Late last year Russia targeted Poland’s electricity grid with a cyber operation, and is currently running a real-world sabotage campaign across Europe. While there is a cyber element to the sabotage campaign, much of it relies on recruiting local proxies. Just this week, The Financial Times reported that Russia’s military intelligence agency, the GRU, is using the Wagner Group mercenary outfit to recruit disaffected locals to carry out these sabotage operations. 

Europe hasn’t responded robustly to the sabotage campaign. But the successful attacks have been annoying, rather than economically devastating or lethal. So how exactly should a state respond when a petty criminal starts a warehouse fire egged on by the Wagner Group over Telegram? Prosecuting and jailing disposable agents is all well and good, but it hasn’t deterred Russia’s broader campaign. Recruiting Russian bomb throwers to retaliate could be the quickest, easiest response, but we don’t think it’s something European countries will go for. 

So… cyber operations seem attractive at first glance. They can provide a stealthy, deniable way to strike back and cause mayhem. And European countries should invest in developing their own sovereign capabilities, especially given the wobbliness of the NATO alliance. But for European cyber operations to be effective, they need to be painful enough to convince Russia’s leaders to stop. That means big and noisy. 

Given that more capable NATO members have not launched cyber sabotage campaigns across Russia, we wonder whether European countries even have the political will to carry out these kinds of destructive operations. There are already tools that Europe could use to impose costs on Russia, but as yet have chosen not to. These include levying more sanctions, tackling the Russian shadow fleet that is used to evade sanctions and closing Russian consulates and expelling its diplomats.

There are already warning signs that Russia’s sabotage is becoming more ambitious. Late last year, 15 Lithuanians were charged with terrorism offences and accused of sending parcel bombs via delivery companies. Lithuanian authorities allege the plot is linked to Russian intelligence. Reports indicate the next stage of the plan was to target cargo planes bound for the US and Canada. 

If countries are not willing to levy the easy, straightforward punishments they already have at their disposal, there’s every chance they’ll be just as trigger shy on launching powerful destructive cyber attacks when, or if, the capability finally arrives.

Rather than sitting back and waiting for a magic cyber bullet, European countries should take the shots they have in their arsenal now. 

AI Companies: Level the Playing Field By Hobbling Our Competitors

In the last week, both Google and OpenAI have separately highlighted the prevalence of “distillation attacks” by adversaries to steal the proprietary logic of advanced AI models. Reading between the lines, both documents appear to be asking for greater government support. 

Distillation attacks, also known as model extraction attacks, aim to siphon out the special sauce of frontier models, simply by asking them questions. When these attacks are successful, other AI developers can level-up their own models at a fraction of the cost, by taking advantage of the work put in by leading companies to create proprietary logic. 

Google’s latest AI threat tracker report mostly describes how threat actors are using AI, but the report begins by calling out distillation attacks. Google frames these types of attacks as a form of intellectual property theft. 

Google cited one example that involved more than 100,000 queries to its Gemini AI. The campaign appeared to be about “replicating Gemini’s reasoning ability in non-English target languages”.

Google didn’t call out any particular country or competitor, but instead referred to “frequent model extraction attacks from private sector entities all over the world and researchers seeking to clone proprietary logic”.

By contrast, in a memo sent to US lawmakers, OpenAI said that the majority of distillation activity appears to originate from China and that it has seen “evolving but persistent methods” being used against its models. 

OpenAI called out Chinese firm DeepSeek, and said it had seen deliberate attempts from the company to circumvent its distillation attack countermeasures. These included DeepSeek employees developing code to programmatically access US AI models for distillation attacks, and obfuscating their IP addresses by using third-party routers. 

It’s not just DeepSeek, either. OpenAI says there is an entire Chinese model distillation ecosystem developing. This includes networks of unauthorised OpenAI resellers used to evade platform controls, and actors that are developing increasingly sophisticated multi-stage pipelines. These pipelines, “blend synthetic-data generation, large-scale data cleaning, and reinforcement-style preference optimisation”. 

Both the Google report and OpenAI’s memo have the same take-home message. It is difficult for AI companies to prevent distillation attacks, especially on their own. 

From a US policymaker’s perspective, the question is whether the government should help American AI companies retain their advantage and if so, how. 

Although it is possible that AI will become a commodity, there is a good chance that having indigenous AI capabilities will be important for America’s economic and national security. If that is true, then of course lawmakers should support their own AI champions. We’re sure the Chinese government is doing exactly that.

In its memo, OpenAI has helpfully provided a list of suggestions for the government. To help counter distillation attacks, these include increasing information and intelligence sharing, and working with industry to establish best practice defences. 

It also recommends restricting adversary access to “US compute, cloud, payment and web infrastructure”. 

OpenAI says that two critical inputs for AI development are electricity and computing capacity, ie chips. When it comes to electricity, it says, China is winning. Last year it added 543 GW of capacity, ten times the amount added by the US. 

On the chips side of the equation the US still has an advantage. Although the Trump administration loosened US chip export controls as of January this year, US lawmakers are now arguing for restrictions on China’s access to advanced chip making equipment. AI companies may get some traction here. 

It’s clear that distillation attacks are a serious and persistent threat to American AI leadership. If policymakers think sovereign AI will be important to both the economy and national security, they should step in and help protect it.

James Wilson contributed to this report. 

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Google’s explicit image removal tool:  Last week Google launched a new tool for people to request the removal of non-consensual explicit images from Search. 
2. Locking down session cookies from Infostealers: Chrome 145, released last week, introduced Device Bound Session Credentials. These link authentication tokens to a user’s specific device, making it much harder for cybercriminals to take advantage of tokens stolen by infostealer malware, for example.   
3. Default theft protection coming to iOS: Apple will be turning on its Stolen Device Protection feature by default for all users of iOS 26.4. The fundamental problem being addressed here is that a thief who manages to watch a victim enter their passcode and then steals their iPhone can entirely take over a victim’s digital life. Device protection turns on additional biometric authentication requirements and adds a time delay to certain functions to give a victim an opportunity to take protective steps such as locking or erasing their device.  

In this sponsored interview Casey Ellis chats to Todd Beardsley, VP of Security at RunZero about Kevology, the company’s analysis of CISA’s KEV list. Kevology lets you easily identify and fix vulnerabilities from the list that are urgent and relevant to you.

Shorts

The Singapore Telcos Hack

Singapore’s government has shared some details about Operation Cyber Guardian, a multiagency effort to defend the country’s four major telcos from UNC3886, a Chinese threat actor. 

More than 100 people across various government departments worked closely with the telcos to deal with UNC3886 after the compromises were detected. The government says that the attack “has not resulted in the same extent of damage as cyberattacks elsewhere”. Is this a reference to the outrageous success of Salt Typhoon? 

We are not sure that this level of government and private sector cooperation can be reached in many other countries, but it is interesting to see the results of that kind of close cooperation.  

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last “Between Two Nerds” discussion Tom Uren and The Grugq discuss whether middle powers should be investing in military cyber capabilities.

Or watch it on YouTube!

Supply chain attack plants backdoor on Android tablets: A supply chain attack has planted backdoors inside the firmware of multiple Android tablet makers. Incidents of tainted firmware updates have been traced back to as far as August 2023.

The firmware images were infected with a new backdoor named Keenadu.

Spotted and analyzed by Kaspersky in a report released on Tuesday, the backdoor is injected in Zygote, the central core process of the Android operating system from where it cannot be removed without a full device flash and reinstall.

[more on Risky Bulletin]

Cambodia promises to dismantle scam networks by April: Following growing international pressure, the Cambodian government has promised to crack down and dismantle cyber scam networks operating within its borders by April this year.

The government says it raided 190 locations in January alone, and arrested more than 2,500 suspects.

More than 110,000 foreigners who used to work in the scam compounds, by force or voluntary, have also been freed and left the country already, according to the country’s Commission for Combating Online Scams (CCOS).

The raids have hit 44 casinos, which are often used to hold the call center workers in spare rooms and under guard. Raids have also hit major hotel chains and newly-built building clusters that researchers have also been tracking for years.

[more on Risky Bulletin]

IcedID malware developer fakes his own death to escape the FBI: A Ukrainian man who developed and managed the IcedID malware botnet faked his own death in an attempt to escape the FBI and jail time in the US.

The unnamed suspect bribed Ukrainian cops to falsify a dead man’s documents and issue a death certificate in his name.

This happened in April 2024, a month before Europol and the FBI seized IcedID servers during Operation Endgame—suggesting there was either a leak in the investigation or that the suspect saw law enforcement agencies probing his servers.

[more on Risky Bulletin]