Weekly review of the National Cyber Security Centre Finland (NCSC-FI) – 50/2025

Be careful with your BitLocker recovery key

BitLocker is Microsoft’s full-disk encryption feature, included in certain versions of the Windows operating system (such as Pro, Enterprise and Education). It is designed to protect data from unauthorised access by encrypting entire storage media. BitLocker can be used to encrypt computer hard drives, USB memory sticks and external hard drives.

Organisations are advised to review their BitLocker recovery processes. As part of this review, it should be considered whether users can view BitLocker recovery keys and perform recovery themselves, or whether IT support should assist users in the recovery process by providing the BitLocker recovery key.

A BitLocker recovery key may be required, for example, if: 

• the PIN code has been entered incorrectly too many times
• changes need to be made to the boot manager
• the TPM security chip is disabled, blocked or cleared.

Visibility of BitLocker recovery keys can be restricted for users. IT support staff can be assigned the BitLocker Reader administrator role, allowing only them to provide the BitLocker recovery key to users. Blocking user access to BitLocker recovery keys can be configured via the Microsoft Entra ID admin centre or Microsoft Graph.

Organisations should define processes for the following situations:

• How are lost or forgotten passwords handled?
• How are smart card PIN codes reset?
• Can users store or retrieve recovery information for devices they own?
• Where are BitLocker recovery keys stored, and what are the instructions for users when a recovery key is needed?
• Do you want to enable recovery password rotation?

Organisations are recommended to review and define policy settings and processes for recovering BitLocker-protected drives. At the same time, it is essential to ensure that recovery information is stored securely and separately from the devices it protects.

Managing cloud service administrator accounts – best practices

Cloud services have become a core part of almost every organisation’s IT infrastructure. They are used in critical organisational functions, which makes the secure management of cloud service administrator accounts extremely important. The misuse of even a single administrator account can compromise an organisation’s entire cloud environment and disrupt business operations.

In a recent article, the NCSC-FI reviews the three most commonly used cloud services — Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). Read more about how administrator accounts in these environments should be protected and managed.

November’s Cyber Weather report published

Overall, November’s cyber weather was rainy, but at the same time fairly calm. During the month, a few noteworthy phenomena were observed in Finland and globally. The most significant new observations included attacks using the ClickFix technique and the Shai-Hulud 2.0 malware. 

Kyberala murroksessa webinar recording now available

In the final Kyberala murroksessa (Cyber sector in transition) webinar of the year, participants discussed both the past year and the year ahead. What has the past year been like from a cybersecurity perspective? What developments can we expect in 2026, and how can cooperation help us prepare for both anticipated and unexpected cyber threats? 

The webinar recording is available via the Videosync service and, from early next week, with subtitles on Traficom’s YouTube channel.

Recording of the EU cybersecurity funding information session now available

The National Coordination Centre at the NCSC-FI organised a general funding information session on Tuesday, 25 November 2025. The session presented the open calls in the Digital Europe Programme’s CYBER-09 funding round and provided practical tips for preparing applications. A recording of the event is now available on Traficom’s YouTube channel. 

Weekly malware review: Shai-Hulud

Shai-Hulud is a modular malware framework that has become active in recent months. Its name refers to the sandworms in the Dune novels and aptly describes the malware’s ability to “burrow” deep into systems and expand within its environment unnoticed.

Shai-Hulud 2.0 is a worm spreading within the NPM (Node Package Manager) ecosystem. It is designed to propagate rapidly through software developers’ environments. The worm is installed when a user adds an infected npm package to their development environment.

Once it has gained a foothold, the worm searches the target system for secrets such as API keys and identifiers, GitHub and npm credentials, cloud service credentials and environment variables. The data it collects is published to a public GitHub repository. After this, the worm publishes new copies of itself to the npm package repository using stolen credentials in order to continue spreading. At the same time, the stolen data is exfiltrated to the attacker.

To detect and prevent infections, organisations should first review their entire development infrastructure for suspicious indicators. In particular, they should scan for known compromised packages. Any infected packages should be removed immediately, and automatic package updates should be temporarily disabled. If an infection is suspected, administrators should rotate all access credentials.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.