Weekly review of the National Cyber Security Centre Finland (NCSC-FI) - 21/2025

Be cautious with Android TV media devices

The market offers a wide range of Android TV devices that allow users to stream content, use apps and browse the internet via their television. However, not all devices are equal in terms of quality or cyber security.

There have been global reports of devices purchased from low-cost online shops that have serious cyber security flaws. Some of these devices contain software indicative of malware, which may include undesirable functions. A device may become part of a botnet—a network of infected devices—which can be used without the owner’s knowledge for malicious internet traffic, attempted data breaches, or denial-of-service (DoS) attacks.

Cheap devices and those made by unknown manufacturers may also lack software updates, increasing the risk of security vulnerabilities. Such devices can compromise not only your privacy but also the security of your home network.

When considering the purchase of an Android TV device, choose reputable and well-known manufacturers and retailers. Avoid buying from unknown or suspicious online stores, especially those operating outside the EU. Vendors within the EU are subject to stricter data protection and consumer rights standards, and devices sold by them are more likely to receive necessary updates and support.

What to consider when purchasing and using an Android TV device

• Ensure that the media device you purchase is properly certified and protected.
  • You can check this by opening the Google Play Store on the device.
  • Tap the profile icon in the top right corner.
  • Select Settings.
  • Check the device's Play Protect certification by selecting About.
• Only download apps to your Android TV device from official sources, such as the Google Play Store.
• If you detect malware on your device, disconnect it from the network and contact the device seller.

Lessons from the massive supply chain attack via SolarWinds

In 2020, a massive supply chain attack was carried out via the company SolarWinds. The attacker succeeded in embedding malware into an update of SolarWinds' Orion IT monitoring application. Through the malware, the attacker gained a foothold in hundreds of organisations that installed the compromised update. At this year’s RSA Conference, the then Chief Information Security Officer (CISO) of SolarWinds shared his lessons from the incident. The experience of SolarWinds provides valuable guidance for managing similar cases:

1. Timely and transparent crisis communication (ideally with the support of a trusted communications partner) is essential for managing uncertainty and misinformation.      Transparent communication strengthens customer and partner trust, even in difficult situations.
2. Comprehensive, skilled external support is critical to resolving a crisis of this scale.
3. In an exceptional situation, the focus must be on helping victims recover and ensuring their safety.
4. Risk management requires both understanding and preparing for risks.  Threats that have been assessed are real possibilities—some of which are likely to materialise. Executive leadership must be committed to preparedness plans and training, which help build readiness for risk realisation.
5. Cooperation is essential in facing modern cyber threats. Even business competitors are not adversaries from a cyber security perspective—the threat is shared, and the response must be collective.
6. The role of authorities in such cases: A national cyber security authority (in this case, CISA) can be an invaluable partner in recovery. Authorities bring independence, power and a form of authority that can significantly assist staff in managing and recovering from the situation. The national police (in this case, the FBI) also played a key role, particularly in gathering information.
7. Regarding the capabilities of a modern advanced threat actor: The operation lasted a couple of years and was carried out with great discretion, which required patience from the attacker. Long-term monitoring is essential—including areas where anomalies are not typically expected. In many crises, long-term historical data proves vital in identifying abnormal activity.

Register for a webinar: National and EU funding opportunities for developing cyber security

The NCSC-FI will host a public webinar on Wednesday 18 June 2025 from 9:00 to 10:00, presenting the latest insights into available national funding support and EU funding opportunities for the development of cyber security, along with related application services.

During the event, the National Coordination Centre (NCC-FI) at the NCSC-FI will present its operations and services related to EU funding, as well as national funding calls and the opportunities of the Digital Europe Programme’s cyber security work programme. Business Finland will also participate, presenting its services for companies in the cyber security sector and the funding opportunities offered by Horizon Europe for cyber security research and innovation.

This event is intended for all organisations interested in funding opportunities for developing cyber security. Funding is available for the private, public and third sectors.

Participants will have the opportunity to ask questions via the chat function. The webinar will be held in Finnish. A recording of the event will be made available on the Finnish Transport and Communications Agency Traficom’s YouTube channel.

Where? Webinar
When? Wednesday 18 June 2025, from 09.00 to 10.00

Register by Tuesday 17 June 2025 at 15.00

More information about the webinar:
NCSC-FI’s National Coordination Centre (NCC-FI)
NCC-FI(at)traficom.fi

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.