Linkedin X-twitter
    • November 5, 2025

    Global attacks on Volkswagen, Invacare, and Versa Networks

    A wave of sophisticated, concurrent cyber attacks targeting global entities across the financial, automotive, healthcare, and technology sectors reveals a strategic splintering of the threat landscape. The recent security incidents involving Invacare, Volkswagen Group, LV=, Versa Networks, and the persistent threats facing institutions like Habibbank and Computer Weekly are not isolated events. They are exemplars of three distinct and parallel threat models that define the new normal:

    1. The Professionalized RaaS Cartel: Ransomware-as-a-Service (RaaS) has evolved into a fully-fledged illicit industry. Groups like Qilin and Rhysida operate as sophisticated cartels, offering robust platforms, engaging in active recruitment, managing distinct “brands”, and deploying advanced evasion techniques—such as Rust-based payloads—specifically to bypass modern, AI-driven defenses.
    2. The Nation-State Supply Chain Attack: State-sponsored Advanced Persistent Threats (APTs), such as Volt Typhoon, are focusing on a different objective. By compromising core infrastructure and software-defined networking (SDN) providers like Versa Networks, they seek strategic, long-term access to thousands of downstream customers, prioritizing espionage and credential harvesting over immediate financial gain.
    3. The Commoditized MaaS Underworld: The barrier to entry for cybercrime has collapsed. Advanced info-stealers like Stealc and Remote Access Trojans (RATs) like SectopRAT are sold via Malware-as-a-Service (MaaS) subscriptions for as little as $100-200 per month. This creates a high-volume, automated “background radiation” of cyber threats capable of stealing credentials, crypto-wallets, and even hijacking live user sessions.

    These incidents demonstrate that organizations must simultaneously defend against three fundamentally different adversaries: a “smash-and-grab” extortionist (Rhysida), a “low-and-slow” state-sponsored spy (Volt Typhoon), and a low-level, automated credential thief (Stealc). A defensive posture that focuses on only one of these threats will leave an organization critically exposed to the others.

    Ransomware as a Business

    The RaaS ecosystem is the dominant model for financially motivated cybercrime. Criminal enterprises develop and maintain sophisticated ransomware payloads, leak sites, and payment infrastructures, which they lease to “affiliates” who conduct the actual intrusions. The attacks on Invacare, Volkswagen, and LV=, along with the looming threat to institutions like Habibbank, illustrate the specialization and strategic divergence within this mature criminal market.

    Rhysida’s Attack on Invacare

    Victim Profile & Incident: On or around November 4-5, 2025, the Rhysida ransomware group claimed responsibility for a significant cyber attack on Invacare. Based in Elyria, Ohio, Invacare is a prominent international manufacturer of medical equipment for home and long-term care settings. This attack is part of a disturbing trend of Rhysida targeting the Healthcare and Public Health (HPH) sector, one of several industries the group has actively pursued since May 2023.

    Threat Actor Profile: Rhysida: The group, named after a genus of centipede, emerged in May 2023 and is suspected to have origins in the Commonwealth of Independent States (CIS). Rhysida has established a reputation for high-impact, disruptive attacks, including the 2023 British Library cyberattack, the data dump from Insomniac Games, and attacks on the Chilean army.

    Tactics, Techniques, and Procedures (TTPs):

    • Initial Access: Rhysida affiliates typically gain their initial foothold via targeted phishing campaigns.
    • Command and Control (C2): Following a breach, the group is known to deploy the Cobalt Strike framework, a common penetration testing tool, to manage its access and move laterally within the victim network.
    • Payload & Extortion: The ransomware itself is a 64-bit Windows Portable Executable (PE) compiled with MINGW/GCC. As part of its double extortion tactic, the group drops distinctive PDF-based ransom notes in affected folders and demands payment in Bitcoin.

    A critical contradiction defines this threat actor. Despite executing some of the past year’s most devastating and high-profile breaches, Rhysida’s encryption payload is described by researchers as being in its “early stages of development”. Analysis of samples shows the program name “Rhysida-0.1” and a lack of “commodity features such as VSS removal”, a standard function used by most ransomware to delete shadow copies and prevent easy recovery.

    This apparent paradox strongly suggests that Rhysida’s encryption payload is not its primary weapon. The group’s success lies in its affiliates’ expertise in initial access (phishing) and lateral movement (Cobalt Strike). The group is highly skilled at infiltrating networks and exfiltrating massive volumes of data for double extortion, with the rudimentary encryptor serving merely as a final, destructive mechanism to force payment. This means that defensive strategies focused solely on detecting the final ransomware binary will fail; the decisive battle is lost much earlier in the kill chain.

    Furthermore, Rhysida employs a unique psychological TTP. The group poses as a “cybersecurity team”, cynically framing the extortion as a “service” to help the victim identify and secure its network vulnerabilities. This narrative serves multiple purposes: it attempts to confuse the victim and stall a unified incident response; it provides a bizarre, quasi-plausible “penetration test” cover story; and, in the case of a healthcare provider like Invacare, it adds a layer of surreal mockery to amplify psychological pressure on the victim to pay.

    StormouS.X and the Volkswagen Group

    Victim Profile & Incident: On May 31, 2025, the threat group “StormouS.X” claimed to have breached the Volkswagen Group. The compromised asset was identified as a subdomain, fal-3a.prd.eu.dp.vwg-connect.com, which is associated with Volkswagen’s “vwg-connect.com” digital services platform for its connected vehicles. The actors claimed to have exfiltrated user account data and authentication tokens.

    Threat Actor Profile: StormouS.X: This allegedly Arabic-speaking group has been active since at least 2021. After a period of quiet, it resurfaced with a new data leak site in 2023 and 2025.

    • Motivation: The group is explicitly political, having sided with Russia in its conflict with Ukraine and claiming to focus its attacks on “Western countries” and companies.
    • Professionalization: The group’s Tor site mimics a professional RaaS operation, featuring a “Shop” to sell stolen data and, notably, a “Job Application” page seeking to recruit individuals with expertise in ransomware programming, phishing, and social engineering.

    However, there is a significant discrepancy between the group’s claims and its verified capabilities. Security researchers note that the group’s legitimacy is “questionable”. Some data leaked by StormouS.X has been “proven fabricated”, and the group has been observed recycling breach data from other threat actors.

    This behavior suggests StormouS.X may not be a traditional RaaS group, but rather a hybrid of a politically motivated hacktivist collective and a for-profit extortion gang. The “Job Application” page signals an aspiration to build technical capability, but its reliance on “fabricated” claims suggests its primary product is propaganda. For a high-profile, symbolic target like Volkswagen, a major pillar of Western industry, the public claim of a breach—and the resulting brand damage and market uncertainty—may be the primary goal. The extortion is a secondary, opportunistic motive. This represents a model of “Patriotic Extortion,” where a geopolitical alignment is used as a brand to legitimize and amplify criminal activity.

    Threats to the Financial Sector (LV= and Habibbank)

    The financial sector remains the ultimate target for top-tier RaaS groups. The breach at LV= and the threat profile of Habibbank demonstrate the sophisticated, evolving TTPs used against these high-value, high-security environments.

    Case Study 1: The CL0P Breach of LV=

    On November 4, 2025, the major UK financial services and insurance firm LV= (Liverpool Victoria) was listed as a victim of the notorious “CL0P” ransomware group.

    To understand this incident, two seemingly unrelated facts must be connected. First, LV= was breached by CL0P. Second, LV= has recently been undergoing a “significant business transformation programme” to migrate its core systems from incumbent vendors to a new “cloud-based solution,” a project involving complex “vendor relationships” for hosting and security.

    Given the CL0P group’s well-established and infamous TTP of mass zero-day exploitation of secure file-transfer and SaaS vendors, this breach was almost certainly not a direct phishing attack on an LV= employee. It was a supply chain attack. It is highly probable that CL0P breached one of LV=’s new cloud or software vendors and, in doing so, inherited LV= as a victim. This incident is a stark warning: as financial firms like LV= and Habibbank migrate to the cloud, their attack surface expands to include the security posture of every SaaS partner in their supply chain.

    Case Study 2 (Proxy Analysis): The Qilin Threat to Habibbank

    While no breach is publicly confirmed, a major financial institution like Habibbank is a canonical target for the most sophisticated RaaS groups. The Qilin group represents the apex predator in this ecosystem.

    Threat Actor Deep Dive: Qilin

    Qilin is a highly professional, Russian-speaking RaaS operation that first appeared under the name “Agenda”. It executes a classic double extortion model—encrypting data and exfiltrating it for leverage—and is noted for avoiding targets within the CIS. Its technical TTPs are designed specifically to bypass the defenses of mature organizations like banks:

    • Payload (Rust & Golang): Qilin is actively migrating its ransomware code from Golang to Rust. This is a critical and deliberate strategic decision. Rust-compiled binaries are memory-safe, notoriously difficult for reverse engineers to analyze, and, most importantly, have a low detection rate against traditional antivirus and EDR engines.
    • Exfiltration (Living off the Land): Qilin affiliates have been observed using legitimate, open-source file transfer tools like Cyberduck to exfiltrate stolen data. This is a “Living off the Land” (LotL) technique designed to blend in with normal network traffic. For a large bank like Habibbank, where system administrators might use similar tool