Weekly Cyber Briefing 10.11.2025
Kier Group, Informa and LV hit by fresh Cl0p ransomware campaign; Cyber attack disrupts Dutch broadcaster RTV Noord, but station stays on air; Nikkei and Hyundai affiliates hit by data breaches
The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris.
A fresh Cl0p ransomware campaign targeting major UK organisations has been discovered. Kier Group, Informa, and LV are among the latest victims. Based on open-source intelligence, it appears that all three may be Oracle E-Business Suite customers, suggesting possible links to Cl0p’s recent attack on Oracle in September.
Cl0p has a long history of exploiting supply chain weaknesses. In previous attacks, they compromised The Washington Post, Harvard, and Logitech, and have been linked to the MOVEit, BlueYonder, and Oracle breaches.
Cl0p is known for its precision-targeted ransomware, which moves quickly and widely once inside a network.
Observed techniques:
[See technical remediation steps]
This should serve as a reminder to ask the right questions of your tech teams:
A cyber attack at Dutch regional broadcaster, RTV Noord, disrupted its radio show De Ochtendploeg, knocking out the systems needed for broadcasting. RTV Noord, which provides regional news and serves as a designated emergency broadcaster, discovered the hack through its IT department.
According to reports, the attackers left a message on the server, defaced the broadcaster’s website, and locked employees out of their work accounts. While the station’s digital operations, including its website, app, and livestreams, were largely inaccessible, the radio team managed to stay on air by manually changing CDs until normal programming resumed.
Despite the disruption, RTV Noord demonstrated resilience, continuing to broadcast on both radio and television through manual workarounds and maintaining a presence on social media.
As seen previously with Collins vMUSE, a well-functioning company doesn’t always depend entirely on technology. RTV Noord’s ability to keep operating highlights the importance of tested contingency plans and robust incident response strategies to sustain essential services during cyber incidents.
Two major Asian corporations have disclosed data breaches affecting thousands of employees and partners.
Japanese media group Nikkei reported that personal information belonging to more than 17,000 individuals was exposed after attackers stole authentication credentials from a malware-infected device used by an employee. The company said the stolen data does not fall under Japan’s Personal Information Protection Law, meaning it was not legally required to report the incident.
Meanwhile, Hyundai AutoEver America, an IT services arm of Hyundai Motor Group, confirmed a February breach that compromised personal information linked to Hyundai and Kia’s corporate and in-vehicle systems.
It appears that the malware used in this attack stole Slack session tokens and cookies, allowing hackers to access private channels and messages without triggering multi-factor authentication.
This is therefore not a question of MFA, as this renders the control null. A policy of refreshing MFA and revoking active sessions by rotating API tokens can be effective. We recommend tying MFA into a condition access policy, such as requiring a trusted device, and also enabling detections for high-risk sign-ins or new IP addresses.
Weekly Cyber Briefing 01.12.2025
Scattered Lapsus$ Hunters target Zendesk users with fake domains; New macOS malware uses fake apps to steal data; Hundreds of npm Packages in major supply chain scare
Features 27.11.2025
The ‘IndonesianFood’ campaign has already flooded npm with over 150,000 spammy packages across multiple accounts
Assured Reacts 25.11.2025
We are staggered by how little of the Cyber Insurance Report from Delinea resonates with our lived experience as cyber insurance specialists.