Cyber Threat Report | January 2023


There’s a saying in cybersecurity that goes: “new year, new threats”. As we kick off January, the digital security environment has become even more dynamic.

Various social engineering (phishing), credential stuffing, and distributed denial of services (DDoS) attacks are being carried out against key infrastructures around the world.

In our report, discover more about recent cybersecurity attacks and:

  • how the Department of Justice and the FBI were able to “hack the hackers”
  • the mystery of how a US “no-fly list” became publically available
  • what the two biggest vulnerabilities are for the financial sector.

In the words of AMATAS Chief Executive Officer, Marko Simeonov, 

“Cybersecurity is like a game of chess – every single “piece on the board” is vital to achieving a global cyber secure environment. Every single player involved, from individuals to experts, is responsible for sustaining and protecting our virtual space. Government policies are even more relevant now in continuing to support cybersecurity and the challenges that come with it. Countries need to safeguard the rights to digital privacy, identity and security of individuals and organizations.”

Cybercrime Breaking News

Credential stuffing attack targets 925,000 active and inactive Norton LifeLock accounts. An official statement, issued by Norton’s parent company – Gen Digital – said that they took the precaution to lock down the accounts after identifying the login attempts. About 35,000 PayPal customers’ personal data was accessed by hackers in yet another credentials stuffing attack that took place in December. As well, just last month, LastPass data was also accessed by malicious actors using similar methods.

The Guardian confirms that some UK staff’s personal data was accessed in the ransomware attack that targeted the media outlet in December. In an official email to staff, issued by the Guardian Media Group’s chief executive, Anna Bateson, and the Guardian’s editor-in-chief, Katharine Viner, the attack is described as “highly sophisticated” and as a “criminal ransomware attack” that isn’t specifically targeting the Guardian. It is believed that the ransomware was triggered by a phishing scheme.

The Transportation Security Administration is looking into how a Swiss hacker was able to gain access to regional airline CommuteAir. The hacker then published a US “no-fly list”, containing over 1.5 million entries. 

​​37 million T-Mobile customer accounts may have been affected by a data breach. In a disclosure notice, T-Mobile notes that within a day of learning about the attack, they “were able to trace the source of the malicious activity and stop it”.

At the beginning of January, the Serbian government reported a ‘massive distributed denial-of-service (DDoS) attack’ targeting the country’s Ministry of Internal Affairs website and infrastructures. The five attacks were countered, while the government noted that “enhanced security protocols have been activated, which can lead to slower work and occasional interruptions of certain services, all in order to protect the data of the Ministry of Internal Affairs.” No group has claimed ownership of the attacks on the Serbian Ministry’s website and infrastructures.

Twitter published an official statement that the data of over 200 million users, said to have been leaked, is “likely a collection of data already publicly available online through different sources.” After carrying out investigations, the platform confirmed, “…there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems”. 

Riot Games, receive a ransom email: “Needless to say, we won’t pay.” The news comes after they were targeted by a social engineering cyberattack, said to have affected multiple systems. As a result of these attacks, the gaming giant had to pause some updates. 

Cyberwar between Russia and Ukraine: Updates

DDoS attacks attributed to pro-Russian hackers are infiltrated against the US and Denmark, affecting the websites of hospitals, government offices, and the Danish central bank. 

Latvia’s Ministry of Defense may have been targeted by a phishing attack, carried out by Russian hacking group, Gamaredon. The ministry added that the attempted attack was unsuccessful.

Cybersecurity Justice

The Department of Justice (DOJ) and FBI infiltrate the Hive ransomware group network, saving victims $130 million in ransom demands by seizing and providing 300 decryption keys to Hive victims and 1,000 decryption keys to previous Hive victims. The months-long disruption campaigns commenced in July 2022 and coordinated alongside German law enforcement and the Netherlands National High Tech Crime Unit. In the end, the campaign was able to seize control of the servers and websites that Hive use to communicate with its members. The official statement notes that since June 2021, “the Hive ransomware group has targeted more than 1,500 victims and received over $100 million in ransom payments”.  

The DOJ charges the founder of the cryptocurrency exchange, Bitzlato, with “unlicensed money transmitting”. The platform is said to have processed more than $700 million for Hydra Market, the largest and longest-running darknet market in the world, which was shut down in 2022. The platform is said to have also attained over $15 million in ransomware proceeds. In the words of Deputy Attorney General Monaco, this is  “a significant blow to the cryptocrime ecosystem.”

Europol and Eurjoust supported cross-border investigation takes down call centers selling fake cryptocurrencies, luring victims to invest over EUR 2 million. The Operational Task Force included authorities from Bulgaria, Cyprus, Germany, and Serbia, who teamed up to question and arrest members of the criminal network, targeting victims across Germany. 15 arrests were made, while 3 hardware wallets (with an estimate of $1 million in cryptocurrency and EUR 50 000 in cash), 3 vehicles, electronic equipment, back-ups, and documentation were seized. 

Defendant, who was part of an over $3.5 million laundering scheme that defrauded over 900 Americans, is sentenced. The Romanian national is the 24th member of the criminal gang to be sentenced. The massive, years-long investigation also charged 28 other members, who were part of the fraudulent scheme. U.S. Attorney Carlton S. Shier IV for the Eastern District of Kentucky remarked, “Cybercrime is an increasingly prevalent means for criminals to prey on the public, causing victims, from across the United States, to lose millions of dollars. To continue to protect Americans against organized cybercrime, cooperation and coordination among law enforcement is essential.”

Canada’s largest pediatric health center, SickKids, restores 80% of the hospital’s priority systems, after a ransomware attack that took place in December. The attack affected various hospital tools and internal systems, including dictation services, pharmacy systems, access to diagnostic imaging results, SickKids’ intranet, and internal timekeeping platforms. The health center has been working with cybersecurity experts to remove the “Code Grey” and get their systems back up. Also in December, Lockbit, the ransomware gang behind the attack, issued a rare apology and offered a decryptor. The key’s authenticity and reliability are currently being assessed by cybersecurity experts.

FinTech Updates

British company NFT Investments takes swift precautions to freeze a hacker’s online wallet, containing $250,000 in stolen assets. The news comes after “a fraudulent phishing attack from an unknown external source” targeted the company.

FBI confirms that the Lazarus Group is behind the theft of $100 million in cryptocurrency, that affected Harmony’s Horizon bridge in June 2022.

New research finds that two Microsoft vulnerabilities are most often exploited to target the US financial sector. The two most exploited vulnerabilities, hence, are a seven-year-old Remote Code Execution (CVE-2015-1635) – exploited 900 times in November – and CVE-2021-31206 – exploited 700 times in November – affecting Microsoft Exchange Servers. Findings, conducted in November 2022, are based on public internet-facing assets from over 7 million IP addresses in the financial sector. 

Cybersecurity News Across The Globe

Want to find out more about how to make your cyber team more efficient? Here are our recommendations:

AMATAS will continue to monitor this space and deliver salient information regularly. 

Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website or by e-mailing

As always – be vigilant, stay alert, and think twice.

Related Articles

Scroll to Top