The cyberattacks, happening as a result of the war between Russia and Ukraine, vastly affected the security within the digital space in the month of March 2022.
We saw a third malware attack since the beginning of the conflict targeting Ukraine - CaddyWiper - as well as various phishing attacks, impersonating Ukrainian aid organizations.
In other news, Lapsus$ group has continued to target various organizations including, Globant, Okta, Microsoft, Samsung, and Ubisoft.
Within our newsletter, find out more about how the Justice Department charged four Russian government employees, who targeted worldwide energy organizations between 2012 and 2018.
March 2022 was a crucial month for cybersecurity professionals, with the ever-rising number of attacks on big organizations worldwide.
Thank you to all of our colleagues for your dedication and perseverance in making the digital space safer for everyone!
The war between Russia and Ukraine: Updates
CaddyWiper is the third malware attack, targeting Ukrainian governmental and financial organizations, discovered on the 14th of March.
CaddyWiper follows the HermeticWiper (more information about this attack in our February newsletter), Isaac Wiper attacks that took place since the beginning of the war at the end of February, as well as Whisper Gate in January.
The malware overwrites data with “null” values to destroy user data and partitions of information.
China, Iran, North Korea, and Russia-backed threat actors have spread various phishing attacks, by using the invasion of Ukraine as a prerequisite.
One of the methods they’ve used is impersonating various Ukrainian humanitarian relief organizations to ask for donations of cryptocurrencies.
Within the past month, they have targeted:
- European government representatives managing the logistics of Ukrainian refugees
- NATO entities
- Military organizations in Eastern European countries
- Ukrtelecom, a major Ukranian mobile, and internet service provider, had its IT infrastructure disturbed due to a cyberattack. Internet service provider NetBlocks reported that it saw “a collapse in connectivity to 13% of pre-war levels”.
- Ukraine's SBU security service arrested a "hacker", who supposedly helped the Russian military send instructions via mobile to its troops in Ukraine.
- Russia-sponsored cyberattackers have exploited the default multifactor authentication (MFA) protocols and via the PrintNightmare security vulnerability to gain access to an NGO network’s cloud and email accounts.
- Russian demand for virtual private network (VPN) servers has spiked by 462% since the beginning of the conflict.
Cybercrime Breaking News
The last month has seen multiple attacks from the Lapsus$ data extortion group.
The latest news on the front is that the FBI has asked the public for help in finding individuals from the group, as they claim they have stolen sourced code from US-based technology companies.
If you happen to have any information about Lapsus$ actors, you can submit this on the official FBI website.
A timeline of the Lapsus$ group activities:
- At the end of the month, Lapsus$ leaked a 70GB file of "customer source code" on Telegram from software development company Globant.
- Microsoft confirmed that they have been breached by the Lapsus$ group, who have released 37GB of source code stolen from Microsoft's Azure DevOps Server, linked with Microsoft’s Bing and Cortana products.
- Okta, an identity and access management firm, confirms that 2.5% of their customers' data was breached in January by a Lapsus$ attack. The actors gained access via remote desktop protocol by compromising Sitel's systems. An official statement from Okta apologies to the 366 Okta customers who may have had their "data viewed or acted upon".
- Lapsus$ agents claim to have stolen 1 TB of data and leaked 20 GB from NVIDIA.
- At the beginning of the month, the group leaked 190 GB from Samsung, which Samsung officials claim involves “source code relating to the operations of Galaxy devices.”
- Other security breaches targeted Vodafone and Ubisoft.
Cybersecurity management is becoming an integral aspect to protect global companies against similar threats and attacks.
Find out 6 reasons why it could be beneficial for your organization to outsource your cybersecurity management.
- The Justice Department charged four Russian government officials in two historical hacking campaigns. The campaigns took place between 2012 and 2018 and were against oil refineries, nuclear facilities, and energy companies worldwide. Victims include a nuclear power plant in Kansas and a petrochemical facility in Saudi Arabia. Read the full press release by the DOJ.
- The "Strengthening American Cybersecurity Act" was passed at the beginning of the month. It obliges critical infrastructural organizations to report cyberattacks within the first 72 hours to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Also, to alert CISA within 24 hours if they make ransomware payments.
- The European Commission and the United States have committed to a new Trans-Atlantic Data Privacy Framework for the transfer of data between the EU and the US. Find out more in the official White House statement.
Other Sector News
- Distributed denial-of-service (DDoS) attacks target Israeli government websites in the largest cyberattack against Israel.
- Greece’s national postal service, ELTA, is restoring systems after a ransomware attack that took place at the end of March.
- FBI warned about RagnarLocker ransomware group which, since the beginning of 2022, has been targeting at least 52 entities across 10 critical infrastructure sectors - including critical manufacturing, energy, financial services, government, and information technology sectors.
- Romanian petrol supplier Rompetrol confirmed it was targeted by the Hive ransomware group and had to suspend its website and Fill&Go services for a limited time.
- Researchers warn about a new vulnerability, Spring4Shell, that could compromise hosts via remote code execution.
- President Biden's new executive order is to "ensure responsible innovation in digital assets" and to unify federal agencies' counter-ransomware approach within the cryptocurrency sector.
- Hubspot breach compromises data of around 30 crypto companies, including BlockFi, Swan Bitcoin, and NYDIG.
- One of the biggest decentralized finance (DeFi) attacks to this day. Hackers steal $600 million worth of Ethereum and $25.5 million of US dollar-pegged stablecoin USDC from the Ronin Network.
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website Fully Managed Cybersecurity Services | AMATAS or by e-mailing email@example.com.
As always – be vigilant, stay alert, and think twice.