Cyber Threat Report | April 2023

AMATAS’s April Cybersecurity report commences with Microsoft’s new threat actor naming. Discover the proposed taxonomy that should make it easier for security researchers to identify specific threats.

In other news, discover our new focus on AI, with Boris Goncharov, AMATAS Chief Strategy Officer. In his latest interview for Bulgaria’s Nova, he pinpoints:

“The genie is out of the bottle. ChatGPT is a completely ‘brutal’ technology. This AI doesn’t care for emotions, feelings, ethics, and other types of humanized categories and understandings of what is ethical and what isn’t. 

If we let things develop on their own, we need to consider what constitutes ethical AI behavior and what doesn’t. We need this framework. There are loads of hanging problems, which regulators have to determine.

But we can’t stop the AI. Let that be clear for everyone.” 

Within AMATAS’s April newsletter, discover more about:

  • UK’s Online Safety Bill and its implications to end-to-end encryption
  • Italy’s temporary ban on ChatGPT
  • Operation Cookie Monster and the take-down of GenesisMarkey
  • Google’s legal actions against Cryptbot

Cybercrime Breaking News

Microsoft’s new threat actor naming taxonomy is now linked with different weather conditions. The purpose of the new taxonomy system is to help customers understand threats “quickly and with clarity” and also bring more context to security researchers, who already deal with an abundance of threat intelligence data. 

The new threat names include:

  • Russia – Blizzard
  • North Korea – Sleet
  • China – Typhoon
  • Iran – Sandstorm
  • Lebanon – Rain
  • South Korea – Hail
  • Turkey – Dust
  • Vietnam – Cyclone
  • Groups in Development – Storm
  • Financially Motivated – Tempest
  • Private Sector Offensive Actor – Tsunami
  • Influence Operations – Flood

Microsoft Threat Intelligence noted in an official statement that this would help them “fully understand the what of an attack, make assessments on the why, then forecast and implement protections for where an attacker might go next. Our vision is that this new naming model helps our customers and the industry move to a more proactive approach to defense.”

The recent supply-chain attack on 3CX’s (enterprise phone company) network is said to be attributed to North Korean hackers. Study into the attack found that it was perpetrated in a “Matryoshka-doll style” where one attack led to another on the software supply chain.

The UK is currently debating the Online Safety Bill – a legislation that would ultimately remove harmful content, but at the same time break end-to-end encryption. If the Bill is passed, WhatsApp has issued a statement that it will withdraw its services from the UK. The Service Provider has also launched a new cryptographic security feature (to increase trust in its infrastructures) – Key Transparency

Security researchers find that new Google two-factor authentication tool (Google Authentication) isn’t end-to-end encrypted.

The Cybersecurity and Infrastructure Security Agency (CISA) adds three new vulnerabilities to its catalog, including ones in Google Chrome, MinIO (used for machine learning – this issue affects OpenAI’s ChatGPT), and PaperCut (printing management software tool) Microsoft Threat Intelligence believe that threat actor Lace Tempest is exploiting the PaperCut vulnerabilities to deploy Clop ransomware.​​

An unauthorized third party gained access to Western Digital‘s (data storage company and SanDisk manufacturer) systems. 

CommScope, a network infrastructure provider, investigates claims of leaked stolen information after a ransomware attack. The ransomware group, Vice Society, added the company’s name to its leak site.

A cybersecurity incident may have exposed Toyota customers’ data. In an official statement, Toyota announced,  “Toyota takes this case, and cybersecurity in general, very seriously. We are taking this opportunity to learn from the findings to further upgrade the robustness of our cybersecurity systems and protocols to prevent a recurrence of similar incidents.”

Cyberwar between Russia and Ukraine: Updates

The Ukrainian cyber police arrested a Ukrainian citizen for supposedly selling the personal information of more than 300 million citizens of Ukraine and other European counties to Russia. 

An Estonian national is charged with “conspiracy and other charges related to procuring U.S.-made electronics on behalf of the Russian government and military”.

Cybersecurity and AI

CISA Director, Jen Easterly, spoke at Atlantic Council about the “the biggest issue that we’re going to deal with this century” pinpointing popular AI tools, like ChatGPT. “[AI is] the most powerful technology capability and maybe weapon of this century. We do not have the legal regimes or the regulatory regimes to be able to implement them safely and effectively. And we need to figure that out in the very near term,” noted Easterly.

Meanwhile, in the beginning of April, Italy temporarily banned the use of ChatGPT due to privacy concerns stated by the Italian data-protection authority (Garante per la Protezione dei Dati Personali). The Garante disclosed that “no information is provided to users and data subjects whose data are collected by Open AI. More importantly, there appears to be no legal basis underpinning the massive collection and processing of personal data in order to ‘train’ the algorithms on which the platform relies.” At the end of April, OpenAI met Garante’s demands, and thus the ban of the chatbot in Italy was lifted.

Three Samsung employees leaked sensitive data to ChatGPT, including recorded meeting notes. To limit the extent of future data breaches, Samsung implemented a restriction on ChatGPT prompt length to a kilobyte.

Cybersecurity Justice

FBI, the Dutch National police force, and 17 other countries united for Operation Cookie Monster, which successfully took down GenesisMarket – a “one-stop-shop” behind millions of cyber incidents with financial motives. GenesisMarket was one of the largest global marketplaces for cyber fraud, dealing with digital identities. Within 24 hours of taking down the platform, 119 arrests, 208 property searches, and 97 knock-and-talk measures were made.  Operation Cookie Monster was headquartered in Europol. “Through the combined efforts of all the law enforcement authorities involved, we have severely disrupted the criminal cyber ecosystem by removing one of its key enablers,” noted Edvardas Šileris, Head of Europol’s European Cybercrime Centre. “With victims located across the globe, the strong relationships with our international partners were critical in the success of this case.”

Microsoft’s Digital Crimes Unit (DCU), Fortra (cybersecurity software company), and the Health Information Sharing and Analysis Center (Health-ISAC) have taken both legal and technical actions to “stop cybercriminals from abusing security tools“. In particular, aiming to prevent the disruption of “cracked, legacy copies of Cobalt Strike” (which has been used to target the healthcare industry) and “abused Microsoft software”. Cybercriminals have been using both software to spread malware and ransomware. In a statement, released by DCU, the team noted that they” are committed to going after the cybercriminal’s illegal distribution methods.”

Google obtains a legal lawsuit against malware distributor, Cryptbot – which has been targeting Google Chrome users and has infected around 670,000 computers just through the past year. “This lawsuit targeting Cryptbot’s malware distributors shows our commitment to protecting users from each level of the cybercriminal ecosystem,” an official statement remarked.

The Department of Justice seized an estimated $112 million (in virtual funds) linked to investment scams. The six seized accounts were supposedly used to “launder proceeds of various cryptocurrency confidence scams”, where hackers had long-term relationships with victims (they met virtually) aiming to force them to invest in fake trading platforms.

Three Nigerian men are charged with “conspiracy to commit wire fraud and money laundering; wire fraud and money laundering charges related to a business email compromise scheme” which resulted in victims losing more than $6 million.

US federal indictments charge a representative of the North Korean Foreign Trade Bank for “his role in money laundering conspiracies designed to generate revenue for the Democratic People’s Republic of Korea, through the use of cryptocurrency”.

Miami crew leader pleads guilty to “stealing millions of dollars’ worth of cryptocurrency and tricking banks into refunding the millions used to purchase that cryptocurrency.” The scheme’s aim was to defraud both the US Banks and the Cryptocurrency Exchange platform of over $4 million.

FinTech Updates

$23 million is stolen from a digital wallet on Bitrue, the cryptocurrency exchange platform

Cybersecurity News Across The Globe

Want to find out more about:

AMATAS will continue to monitor this space and deliver salient information regularly. 

Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website, or by e-mailing

As always – be vigilant, stay alert, and think twice.

Related Articles

Scroll to Top