“Weekend Briefing” is a weekly newsletter sent to subscribers of The Readable every Friday.
A series of recent cyber incidents across the globe has exposed critical vulnerabilities in sectors ranging from aviation and telecoms to political institutions and tech infrastructure. From Qantas grappling with a breach threatening millions of customer records, to sophisticated North Korean and Iranian cyber campaigns targeting cryptocurrencies and political figures, the scope of cyber threats has grown both technically advanced and geopolitically charged. Meanwhile, revelations of massive data breaches at SK Telecom and Columbia University underscore how deeply personal and institutional data remain at risk, while governments worldwide scramble to tighten defenses and hold perpetrators accountable.
This is Dain Oh reporting from South Korea, and here is your weekend briefing.
1. SK Telecom scrambles to contain fallout from years-long cyberattack – The Readable
South Korea’s Ministry of Science and ICT has concluded its investigation into a major cyberattack that compromised SK Telecom, the country’s largest mobile carrier, revealing that hackers infiltrated the company’s systems as early as August 2021 and later stole critical subscriber data. Despite detecting unusual activity in early 2022, SK Telecom attempted to handle the incident internally without reporting it to authorities, a decision that the government says contributed to the severity of the breach. Hackers ultimately exfiltrated nearly 10 gigabytes of USIM (Universal Subscriber Identity Module) information in April 2024, potentially involving data from all SK Telecom subscribers. While officials have downplayed the risk of widespread secondary damage, concerns remain about the potential misuse of sensitive customer information, including possible state-sponsored cyber espionage targeting high-profile individuals.
The government’s probe found that SK Telecom failed to maintain sufficient supply chain security and had inadequate logging practices, keeping crucial firewall logs for only four months instead of the required six, leaving gaps in determining whether personal data was leaked between mid-2022 and late 2023. The investigation also revealed that even though certain personal identifiers and device information were temporarily stored in plain text, there was no concrete evidence of their external leakage within the logs available from December 2023 onward. Additionally, authorities discovered a separate supply chain vulnerability through which unrelated malicious code entered 88 company servers, though it was not linked to the main breach.
- Related stories: SK Telecom hacking incident raises concerns over USIM security
- Related stories: Daily briefing: From hacks to backlash
In response to government criticism and the threat of severe penalties, including possible license revocation, SK Telecom announced a sweeping “Responsibility and Commitment” program. The company pledged to invest 700 billion won (approximately $500 million) over the next five years to strengthen cybersecurity infrastructure, double its dedicated security staff, and elevate its chief information security officer to report directly to the CEO. SK Telecom also promised to waive contract termination fees for customers affected by the breach and will provide a 50 percent discount on August mobile bills for all customers, along with additional free data benefits. Furthermore, the company plans to offer a year of free mobile security software and introduce a compensation guarantee for any future cyber incidents, signaling an effort to rebuild public trust after the extensive hack.
2. Qantas investigates data breach after contact center cyberattack – The Readable
Qantas has confirmed that it suffered a cyber incident involving one of its contact centers after detecting unusual activity on a third-party platform used to service customers. Although the airline emphasizes that its flight operations and safety have not been affected, it acknowledges the breach exposed customer data stored in an external system. Qantas has apologized to customers, stressing that it takes the protection of personal information seriously and is working closely with the Australian government’s cybersecurity agencies and independent specialized experts to manage the situation.
So far, Qantas’ investigation has revealed that personal details such as names, email addresses, phone numbers, birth dates, and frequent flyer numbers may have been accessed by cybercriminals who initially targeted a call center. While credit card details, financial data, and passport information were not stored in the compromised system, there are concerns that the exposed data could still be misused for scams, identity theft, or attempts to reset passwords on other services, especially for customers who reuse their credentials. Although experts have not yet observed this stolen data circulating on the dark web, they caution that the situation could evolve.
In response, Qantas has taken steps to contain the affected system and is enhancing security monitoring and access restrictions. It has established dedicated support channels and is proactively contacting affected customers to provide guidance and assistance. Cybersecurity specialists advise customers to change their passwords, enable two-factor authentication where possible, avoid clicking links in suspicious emails, and closely monitor both their loyalty accounts and financial statements for unusual activity. While the investigation continues, staying vigilant and cautious remains the best protection for Qantas customers in the wake of this incident.
3. North Korean hackers targeting crypto projects with unusual Mac exploit – Cointelegraph
Cybersecurity researchers have uncovered a new cyberattack campaign by North Korean hackers targeting cryptocurrency companies through malware designed specifically for Apple devices. The attackers disguise themselves as trusted contacts on messaging platforms like Telegram and lure victims into fake online meetings, sending them what looks like a legitimate Zoom update. Once installed, this file deploys malware called NimDoor on Mac computers, which focuses on stealing cryptocurrency wallets, browser passwords, and other sensitive information. The campaign marks a significant shift, as Mac computers were once thought to be relatively safe from such sophisticated threats.
What sets this attack apart is the hackers’ use of Nim, a relatively new programming language that allows the same malicious code to run on multiple operating systems like Windows, Mac, and Linux. Nim is also harder for traditional security software to detect, giving attackers an edge in evading defenses. Beyond simply stealing credentials, the malware can perform keylogging, screen recording, and clipboard monitoring. It even waits ten minutes before activating to avoid being flagged by security scans. In addition, researchers discovered scripts capable of extracting Telegram’s encrypted local databases, highlighting the attackers’ advanced techniques.
Experts warn that Apple devices are increasingly becoming targets for state-sponsored cyberattacks, debunking the longstanding belief that Macs are immune to viruses. Security firms have recently reported similar threats linked to North Korean groups, like BlueNoroff, and noted the appearance of fake browser extensions aimed at stealing cryptocurrency wallet details. As cybercriminals adopt more innovative tools and tactics, including unusual programming languages, both individuals and businesses are urged to remain cautious, especially those involved in the crypto industry.
4. US sanctions Russia’s Aeza Group for aiding cybercrime – The Readable
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Aeza Group, a Russia-based company that offers bulletproof hosting services, for helping cybercriminals carry out ransomware attacks, steal personal information, and run illegal online drug markets. Bulletproof hosting providers like Aeza offer specialized servers and technology that allow criminals to operate online while evading law enforcement. The sanctions extend beyond Aeza’s operations in Russia to include affiliated companies in the United Kingdom and several individuals who hold leadership positions in the group, demonstrating the global reach and complexity of modern cybercrime networks.
Investigations revealed that Aeza Group provided services to various cybercriminal groups, including operators of infostealers like Meduza and Lumma, which are used to harvest personal information, passwords, and other sensitive data that often end up for sale on darknet markets. Aeza also hosted infrastructure for ransomware strains like BianLian and for BlackSprut, a Russian darknet marketplace dealing in illegal drugs. Aeza’s financial operations involved cryptocurrency transactions that were designed to obscure customer identities and fund flows, with on-chain analysis linking Aeza to over $350,000 in cryptocurrency tied to illicit activities, including connections to vendors selling malicious software used to breach systems and steal data.
The U.S. government views this action as part of a broader effort to disrupt the infrastructure that enables cybercrime, not just targeting individual hackers but the services and networks that support them. As a result of the sanctions, all property and interests belonging to the designated individuals and companies that fall under U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. OFAC has emphasized that while sanctions are a powerful tool to disrupt criminal networks, they are also intended to encourage changes in behavior. OFAC remains open to removing individuals or entities from the sanctions list if they demonstrate a shift away from illicit activities.
5. Iran-linked hackers threaten to release Trump aides’ emails – Reuters
An Iran-linked hacking group calling itself “Robert” has threatened to release another trove of emails stolen from people close to President Donald Trump, after previously leaking material during the 2024 U.S. presidential campaign. In recent online conversations with Reuters, the hackers claimed to possess about 100 gigabytes of emails from key figures in Trump’s circle, including White House Chief of Staff Susie Wiles, lawyer Lindsey Halligan, adviser Roger Stone, and adult film actress Stormy Daniels, a longtime Trump critic. While hinting at the possibility of selling the material, the group has not shared details about the emails’ contents or specific plans for their release.
The hacking group first emerged in the final months of the 2024 election, when it disclosed emails that touched on topics like Trump’s financial dealings with attorneys representing former presidential candidate Robert F. Kennedy Jr., internal campaign discussions about Republican candidates, and negotiations related to Stormy Daniels. Although these leaks drew some media attention, they did not significantly alter the outcome of the election, which Trump ultimately won. U.S. authorities, including the Justice Department, have alleged that Iran’s Islamic Revolutionary Guard Corps was behind the Robert operation, though the hackers declined to comment on that accusation in conversations with Reuters.
After a period of silence following Trump’s election victory, the hackers resurfaced in the wake of the 12-day Israel-Iran conflict, which concluded with a U.S.-brokered ceasefire following American airstrikes on Iranian nuclear facilities. Experts suggest Iran’s cyber operatives might now be seeking ways to retaliate without provoking further military action. While U.S. cyber officials caution that American companies and critical infrastructure could still be targets for Iranian cyber activity, scholars like Frederick Kagan believe that leaking additional emails poses a lower risk of triggering renewed hostilities.
6. Columbia University student data stolen by politically motivated hacker, university says – AP News
Columbia University suffered a politically motivated cyberattack on June 24 that disrupted its campus network and led to the theft of sensitive student records, according to a university official. The incident caused widespread outages, locking students and staff out of email, coursework, and video conferencing platforms for several hours. On the same day, images of President Donald Trump appeared on public monitors across Columbia’s Manhattan campus, although university officials said it was unclear if those displays were directly connected to the breach. While Columbia declined to detail the hacker’s political motivations, officials described the attacker as a sophisticated “hacktivist” aiming to advance a political agenda through the theft of private records.
The university is still assessing the scope of the data breach and has pledged to inform the campus community and any individuals whose personal information may have been compromised. The cyberattack comes as Columbia remains in tense negotiations with the Trump administration over the possible loss of $400 million in federal funding, tied to allegations that the school has failed to adequately protect Jewish students from antisemitic harassment. As part of the ongoing discussions, Columbia has already agreed to several reforms, including changes in the oversight of its Middle East studies department and revisions to campus protest and disciplinary policies.
The incident echoes a similar cyberattack in March against New York University, where a hacker briefly exposed student admission records online, claiming the goal was to demonstrate noncompliance with the Supreme Court’s 2023 ruling that banned affirmative action in college admissions. At the time, NYU dismissed the displayed data as inaccurate and emphasized its adherence to the law. The recent breach at Columbia highlights how universities are increasingly targeted by cyber actors pursuing politically charged agendas, blending cybersecurity threats with broader national debates over higher education policies.
Editor’s note: Each item in this briefing was initially summarized or translated by ChatGPT-4o based on the author’s specific instructions, which included news judgment, fact-checking, and thorough editing before publication.
