SIM Swaps, Supply Chains, and State Actors

The Daily Raptor | Market Update
Newsletter Signup: dailyraptor.com

Tuesday, August 19, 2025 Edition

The Daily Raptor – Market Update

The cyber threat landscape has been especially turbulent this week, with major developments spanning cybercrime prosecutions, state-sponsored espionage, and global supply chain security. Enterprises face a dual reality: Western law enforcement is making strides in holding criminals accountable, while state-linked adversaries are quietly embedding themselves in critical systems.

Scattered Spider: Enforcement and Emerging Risks

A high-profile member from Florida, Noah Urban 20, of Scattered Spider—the prolific social engineering and ransomware collective notorious for breaching MGM and Caesars—was sentenced to ten years in prison, exceeding the prosecution’s eight-year request and the defense’s five-year appeal. The ruling underscores the judiciary’s tougher stance against repeat cyber offenders.

In parallel, Orange Belgium disclosed a breach affecting 850,000 customers, with sensitive subscriber details such as SIM card numbers exposed.

While Scattered Spider has not been definitively tied to this attack, industry analysts note the targeting profile is eerily similar. The concern: high-net-worth individuals in the stolen dataset (850k) could become prime SIM-swap victims, evolving into stolen MFA tokens leveraged to compromise large enterprise or financial accounts at scale.

Key Takeaways:

  • Court issues stiffer-than-requested prison sentence for Scattered Spider member, Noah Urban.

  • Orange Belgium breach raises alarms about SIM-swap risks against high-value targets.

  • Industry concern: adversaries may increasingly blend telecom data theft with social engineering tactics to maximize financial and enterprise impact.

Silk / Volt / Salt Typhoon: State-Linked Espionage

As reported by The Daily Raptor as recently as last week, Chinese cyber-espionage actors remain highly active across North America and Europe. Silk Typhoon has been observed exploiting zero-days to infiltrate managed service providers and IT vendors, embedding themselves in ecosystems that serve as gateways into downstream customers. According to CrowdStrike, the group—tracked as Murky Panda—has also focused on exploiting trusted cloud relationships to compromise enterprise environments via upstream service providers. Their sibling operations, Volt Typhoon and Salt Typhoon, continue to prioritize stealthy, living-off-the-land techniques against telecom and critical infrastructure networks. These activities reflect Beijing’s broader strategy: maintaining persistent access to critical industries while avoiding detection.

Key Takeaways:

  • Silk Typhoon exploits zero-days and trusted cloud relationships to expand reach.

  • Volt/Salt Typhoon focus on stealth in telecom and critical infrastructure environments.

  • China-linked espionage activity is increasingly centered on ecosystem compromise, not just single-entity breaches.

Supply Chain Attacks: Converging Risks

The past 10 days have underscored how supply chain compromise is central to both cybercrime and state-sponsored campaigns. UK telecom giant Colt Technology Services admitted that customer data was stolen during a ransomware attack linked to the WarLock gang, with lingering service outages across its hosting and API platforms. Orange Belgium’s breach, while not yet attributed, demonstrates how telecom data could be weaponized for SIM swaps and account takeover—a tactic consistent with groups like Scattered Spider. In parallel, Silk Typhoon’s exploitation of IT vendors highlights how state-sponsored actors are embedding in the supply chain of critical infrastructure providers.

Key Takeaways:

  • Scattered Spider-style risks: Telecom breaches may supply data for SIM swapping and MFA bypass.

  • Silk Typhoon-style risks: Supply chain access into IT vendors threatens critical infrastructure stability.

  • Supply chain compromises amplify impact: one breach cascades into hundreds of enterprises and public-sector organizations.

Customer-Side Challenge: State & Local Governments Sound the Alarm

Amid these escalating threats, U.S. state and local governments are warning of widening resource gaps. In a bipartisan letter to Congress, organizations representing mayors, counties, and state CIOs urged the restoration of federal funding for the MS-ISAC, the Multi-State Information Sharing and Analysis Center. MS-ISAC is a cornerstone for defending local schools, hospitals, utilities, and law enforcement agencies against foreign adversaries. In 2024 alone, it helped detect 43,000 potential attacks and blocked 25 billion malicious site connections. Without renewed federal support, leaders warn that smaller and rural communities—already resource-constrained—will face crippling vulnerabilities.

Adding to this concern, new research from Dragos highlights how industrial and supply chain sectors are under historic ransomware pressure. In Q2 2025 alone, Dragos documented 657 ransomware incidents impacting industrial organizations worldwide, with North America bearing more than half (355 incidents). The manufacturing sector was the hardest hit, accounting for nearly two-thirds of all cases, while Industrial Control Systems (ICS) incidents almost doubled compared to the prior quarter. Groups like Qilin—responsible for nearly 1 in 5 industrial breaches—are increasingly professionalized and aligned with nation-state interests, exploiting both direct operational environments and upstream vendors.

Key Takeaways:

  • MS-ISAC funding shortfall threatens local government cyber resilience.

  • Rural and small communities are disproportionately exposed without shared defense.

  • Industrial ransomware incidents are accelerating: 657 globally in Q2 2025, led by manufacturing and ICS environments.

  • Adversaries are increasingly professionalized, blending ransomware + supply chain compromise to disrupt at scale.

End of Week Press Update:

  1. Noah Urban Sentenced to 10 Years for Scattered Spider Cybercrime Operation - A 20-year-old member of the notorious Scattered Spider cybercrime gang was sentenced to ten years in prison for wire fraud and aggravated identity theft, with $13 million in restitution ordered | August 21, 2025

  2. Orange Belgium Data Breach Affects 850,000 Customer Accounts - Orange Belgium announced a cyberattack on its IT systems resulting in unauthorized access to personal data from 850,000 customer accounts, including SIM card numbers and PUK codes, raising alarm about potential SIM-swap attacks | August 21, 2025

  3. UK Sanctions Target Cryptocurrency Networks Facilitating Ransomware - The United Kingdom imposed sanctions targeting Kyrgyz financial institutions and cryptocurrency networks accused of facilitating Russian sanctions evasion, military procurement, and ransomware operations | August 21, 2025

  4. Colt Technology Services Ransomware Attack with Data Theft - Colt Technology Services is working on restoring systems disrupted by a ransomware attack that involved data theft | August 19, 2025

  5. FBI/IC3 warns: Russian Intel Unit FSB “Center 16” is targeting networking devices & critical infrastructure — Aug 20, 2025. Internet Crime Complaint Center.

  6. Cyber insurers weigh limiting payouts for breaches via unpatched CVEs (policy/financial exposure for enterprises) — Aug 22, 2025. Dark Reading

  7. Workday confirms CRM data exposure tied to wider Salesforce campaign (ShinyHunters) (SaaS supply-chain risk) — Aug 19, 2025. Dark Reading

  8. Reuters: Allianz Life breach impacts approx. 1.1M U.S. customers (insurance sector exposure) — Aug 18–19, 2025. Reuters

  9. INTERPOL ‘Serengeti 2.0’: 1,200+ arrests in cybercrime crackdown (BEC/ransomware rings affecting global commerce) — Aug 22, 2025.

Have a great weekend, Raptor Community!

The DR Team

smb/