Cyber Threat Report | September 2022


</Reports </ Cybersecurity </ Cybercrime </ News


While cybercriminals have been targeting critical infrastructures and businesses worldwide, cybersecurity is becoming a global priority. In just the past month, CISA and the FBI co-chaired the first meeting of the Joint Ransomware Task Force - a body “established by Congress to unify and strengthen efforts against the ongoing threat of ransomware”. On the other side of the Atlantic, the European Union has proposed new legislation - the Cyber Resilience Act - to “bolster cybersecurity rules to ensure more secure hardware and software products”. Both events play key roles in securing a safer digital environment.

The AMATAS Team’s September report details some of the biggest cybersecurity threats, attacks, and breaches, including:

  • The “biggest data breach” in Australia’s history
  • “Recycling” techniques: how former Conti members have been targeting Ukraine
  • “Teapotuberhacker” hacker attacks the ride-share company and Grand Theft Auto (GTA) creators

We’ll also highlight some of the biggest worldwide achievements, including the first-ever occurrence where cryptocurrency, stolen by North Korean hackers, was seized and the recently discovered key to decrypting LockerGoga.

Cybercrime Breaking News

Uber is currently investigating a cybersecurity incident with the help of the FBI, DOJ, and several leading digital forensics companies. In the middle of September, malicious actors reported to The New York Times that they accessed the company's network and had "images of emails, cloud storage, and code repositories". The ride-share company was able to trace the compromised account credentials of a contractor back to hackers, connected to the Lapsus$ extortion group. Similar attacks happened earlier this year, targeting Microsoft, Cisco, Samsung, Nvidia, and Okta

As well, in September, Rockstar Games was also targeted by the Lapsus$ group. Cybercriminals are confirmed to have breached the gaming giant's networks and stolen confidential data. The hacker, under the “teapotuberhacker” alias, has leaked between 50 - 90 minutes of early footage from the upcoming GTA 6. 

​​Anonymous hackers claim to have taken down Iranian government websites amidst protests following the death of Mahsa Amini. Other activities of the hackers, as detailed by CheckPoint, consist of “data leaking and selling, including officials' phone numbers and emails, and maps of sensitive locations”.

Optus, Australia's second-largest telecommunication company, is currently looking into how customer data may have been compromised after a data breach that occurred at the end of September with 10 million accounts (about 40% of the population)’s said to have been affected. The possibly exposed information may include "customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's license or passport number". Some experts claim that this may be the worst data breach in Australia’s history.

Cyberwar between Russia and Ukraine: Updates

Google's Threat Analysis Group (TAG)'s latest report notes how former Conti ransomware group members have been targeting Ukraine - repurposing tools and techniques previously developed by the group (e.g. AnchorMail, installed as a TrickBot module; impersonating Elon Musk's StarLink representatives, etc.). These activities seem to overlap with the CERT-UA tracked group UAC-0098, some members of which are believed to have been part of Conti. The detailed report provides insights into five different campaigns (between April - August 2022). TAG's analysis concludes by highlighting the rising cybercrime trend, where the lines between "financially motivated and government-backed groups in Eastern Europe" are being blurred. Thus, aligning malicious activities with supposed "regional geopolitical interests".

Cybersecurity Justice

A new decryptor for LockerGoga (or MegaCortex), the strain of ransomware behind the 2019 ransomware attack on Norsk Hydro, is unveiled. The tool is a result of a collaboration between cybersecurity company, Bitfinder, Europol, the Zürich Public Prosecutor’s Office, the Zürich Cantonal Police, and the NoMoreRansom Project.

Department of the Treasury’s Office of Foreign Assets Control (OFAC) unveils sanctions against ten individuals and two entities, who are said to have conducted various cyber crimes and are believed to be linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). They are said to have conducted ransomware attacks since 2020, targeting businesses and critical infrastructures, including hospitals, educational institutions, NGOs. The sanctions aim to bring about "a positive change in behavior". 

Law enforcement agencies and leading cryptocurrency organizations seized more than $30 million from cyber criminals, believed to be connected to the North Korean government. The stolen cryptocurrency is part of the $600 million pool stolen from Ronin in March. In an official statement, Chainalysis's senior director of investigations, Erin Plante, said “This marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized, and we’re confident it won’t be the last. "

FinTech Updates

Founder and chief executive of cryptocurrency company, Wintermute, confirms that around $160 million were stolen from the platform by hackers.

BXH, DeFi cryptocurrency platform, was hacked twice in September, losing nearly $2.5 million and $40 000 during the attacks.

A breach believed to have exposed the data of a “small percent (0.16%)” of the more than 50 000 customers worldwide of the fintech startup, Revolut, occurred at the end of September.

Other Industry News

An FBI white notice warns of vulnerabilities that could impact the healthcare industry and "patients with mild to severe medical conditions". The report highlights the importance of patching medical devices, so that they are up-to-date with the latest software, and ensuring that the devices and healthcare centers have relevant security features installed (e.g. IAM, Managed Security Awareness Training, Vulnerability Management, etc.)

Ex-Twitter head of security, Peiter “Mudge” Zatko, testified before the US Senate Judiciary Committee that the platform is "misleading the public" as to how secure it claims to be. Zatko also stated that he believes user data is not adequately protected against potential cyber threats and attacks.

A Recorded Future report traces how three variants of malicious scripts have been infiltrating e-commerce websites' Google Tag Manager (GTM) containers in the past two years. The research reveals how hackers are abusing the function to steal payment card data and sensitive customer information. The GTM function is usually used by e-commerce websites for marketing, usage metrics, and customer analysis.

Read the full CISA and NSA "Open Radio Access Network Security Considerations" paper.

AMATAS will continue to monitor this space and deliver salient information regularly. 

Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website or by e-mailing

As always – be vigilant, stay alert, and think twice.


Ralitsa Kosturska in AMATAS