#NSBCS.065 - Tariffs: Taxing Trade, Triggering a Cyber War
Source: NSB Cyber
Tariffs: Taxing Trade, Triggering a Cyber War
All we’ve heard over the past few weeks is tariffs - tariffs on steel, aluminium, and goods from countries like Canada, China, and the EU, with the U.S. slapping a 25% levy on Australian steel and aluminium exports despite Australia’s historically low tariffs averaging just 2.4%. The global trade landscape is shifting fast, and while the economic fallout dominates headlines, there’s another ripple effect that’s getting less attention but could prove just as significant: the impact on cybersecurity. As nations retaliate with counter-tariffs and businesses grapple with rising costs and uncertainty, the digital world is bracing for a storm of its own.
At its core, this tariff business is shaking up economies. Companies facing higher costs for raw materials or imported tech - like the aluminium in servers or the rare earth metals in chips, may cut budgets elsewhere to stay afloat. Cybersecurity, often seen as a “nice-to-have” rather than a “must-have” in lean times, is a prime target for those cuts. Fewer investments in security infrastructure mean outdated systems, unpatched vulnerabilities, and a skeleton crew of IT staff - basically a welcome mat for cybercriminals. Experts have noted that economic instability tends to push businesses to scale back defences just when they’re most needed.
Tariffs also disrupt the global supply chain, creating a cascade of cybersecurity risks. Here’s how:
Compromised Hardware: A rush to new, cheaper suppliers - especially in regions with lax oversight - raises the odds of pre-installed malware in devices like routers or servers.
Counterfeit Tech: Disrupted trade flows make it easier for fake components to slip into the mix, undermining system integrity.
Vendor Vetting Gaps: Switching suppliers quickly leaves less time to verify their security practices, opening doors to backdoors or data leaks.
Fragmented Oversight: As supply chains splinter across borders, tracking and securing every link becomes a logistical nightmare.
Retaliation adds another layer. As the EU, Canada, and others slap tariffs back on the U.S., tensions rise, and so does the risk of state-sponsored cyber-attacks. Nations unhappy with trade policies might greenlight hackers to target critical infrastructure - think power grids, financial systems, or even healthcare networks. China, already a major player in cyber espionage, could see a 60% tariff hike as a nudge to ramp up digital retaliation. The U.S.’s own moves, like declaring a potential “National Emergency on Electricity” tied to Canadian tariffs, hint at how trade spats could spill into cyber warfare over key resources.
For everyday users, the stakes are quieter but real. Higher costs for tech goods - laptops, phones, IoT devices, might mean more people cling to old, unsupported hardware. An unpatched Windows 7 machine or a five-year-old router is a hacker’s playground. Meanwhile, businesses passing tariff costs to consumers could spark phishing waves, preying on panicked buyers hunting for deals.
The tariff saga isn’t just about trade - it’s a cybersecurity stress test. Companies might dodge some bullets by shifting production stateside, but domestic capacity will still be limited, and costs won’t vanish. For now, the world’s digital defences are stretched thin, and cybercriminals are watching, ready to pounce on the chaos. In this trade war, the real casualties might be our firewalls.
What we read this week
Microsoft Patch Tuesday Fixes 57 vulnerabilities - Microsoft’s March 2025 Patch Tuesday includes 57 security updates, featuring six actively exploited zero-days: CVE-2025-24983, CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, and CVE-2025-26633. According to MS, Six vulnerabilities are rated critical for remote code execution. Attackers can gain system privileges, read restricted data, and execute code by exploiting flaws in NTFS, Fast FAT, or Microsoft Management Console. Some exploits rely on malicious VHD files, while others involve phishing or physical device access. It is recommended to promptly apply and test the patches across your infrastructure to avert compromise. Neglecting these updates increases the risk of privilege escalation and data breaches across environments.
Social Network “X” targeted by DDoS Attack - “X” endured multiple DDoS attacks this week, causing intermittent outages that Elon Musk described as a massive cyberattack, with potential involvement from pro-Palestinian hackers or Ukrainian IP addresses. Musk’s statements coincide with rising geopolitical tensions. However, experts denote that IP-based evidence is sometimes inconclusive, as global botnets often deploy compromised devices and proxy services to obscure true origins. Some X servers were unprotected, allowing direct targeting. Hardening all infrastructure endpoints, enhancing DDoS safeguards, and frequently testing security posture can usually minimise DDoS exposure.
China-linked UNC3886 target Jupiter Networks routers - Mandiant discovered a China-linked cyber espionage campaign by UNC3886 targeting outdated Juniper Networks routers, exploiting CVE-2025-21590 to bypass Junos OS security mechanisms. Attackers deployed multiple TINYSHELL backdoor variants, disabled logs, and injected code into legitimate processes to remain undetected. Their focus on internal networking infrastructure, including ISP routers, poses risks to communications globally. Maintaining updated firmware, employing multi-factor authentication, and enforcing strict role-based access controls can limit exposure. This campaign reflects UNC3886’s custom malware operations from 2022 and 2023, now shifting focus to devices lacking robust detection, such as network edge and virtualisation environments, and demonstrating increase sophistication.
CISA releases Medusa Ransomware advisory guidance - The Medusa ransomware operation has compromised over 300 US critical infrastructure organisations as of February 2025, per CISA, the FBI, and MS-ISAC. Active since 2021, Medusa expanded in 2023 by adopting a Ransomware-as-a-Service model, recruiting affiliates on cybercriminal forums and offering bounties of up to one million dollars. Threat actors weaponise a dedicated leak site, evidenced by high-profile breaches of Minneapolis Public Schools and Toyota Financial Services. This Medusa strain is distinct from other malware bearing the same name. Organisations should apply timely patches, segment networks, and filter suspicious traffic to thwart this threat’s disruptive potential.
Another Volt Typhoon Operation Discovered - The Chinese APT group Volt Typhoon compromised a US power utility in Massachusetts in 2023, maintaining stealthy access for over 300 days. The attackers targeted operational technology details and facility layouts to enable potential disruption and exfiltration. The FBI and Dragos discovered lateral movement using SMB traversal and RDP. Volt Typhoon typically infiltrates networks by compromising SOHO routers or exploiting unpatched perimeter devices and leverages LotL binaries to avoid detection. Defenders should strengthen OT security through rigorous patch management, network segmentation, and continuous threat monitoring. This incident illustrates Volt Typhoon’s sustained focus on critical infrastructure (CI), highlighting the importance of proactive, multi-layered defences in all CI sectors.
References
https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2025-patch-tuesday-fixes-7-zero-days-57-flaws/
https://www.wired.com/story/x-ddos-attack-march-2025/
https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
https://www.darkreading.com/cyberattacks-data-breaches/volt-typhoon-strikes-massachusetts-power-utility