July Hacker Tracker
Welcome to the July 2023 Hacker Tracker, where we’ll provide a breakdown of the most high-profile cyberattacks in the past month. The zero-day attack on MOVEit Transfer tops the list this month. Carried out by a Russia-linked group, it’s affected major organizations across the globe—including the US Department of Energy. Read on to learn just how much damage this attack and others have caused.
MOVEit Transfer hacking spree
When it happened
June 15
What happened
Major organizations across the world fell victim to a worldwide hacking spree by Russia-linked extortion group Cl0p. Multiple US federal agencies (including the Department of Energy), Shell, Deutsche Bank, ING, and British Airways were among those targeted.
Method of attack
The attackers exploited a flaw in MOVEit Transfer, a file-transfer software tool often used to share sensitive information with partners or customers. The tool’s parent company, Progress Software, discovered this flaw shortly before the hacking spree but wasn’t able to patch it in time (they have now done so).
The fallout so far
The number of organizations targeted and their importance make this a severe cyberattack. The Cl0p group claimed that they won’t exploit government agency data, but few trust such assurances. Breach reports have already included organizations with sensitive health and financial data on individuals. Those affected will be scrambling to work out just how much of their sensitive data was exposed.
Polygon NFT Airdrop Fraud
When it happened
Ongoing
What happened
A recent phishing scam on the Polygon network, where fake NFT airdrops have been used to trick users, resulted in over $1.2 million in losses by crypto owners.
Method of attack
This scam operates by airdropping fraudulent NFTs that mimic real ones from well-known projects like Uniswap. Unsuspecting recipients of the fake NFTs are then lured into visiting phishing websites, where they are asked to provide their signatures. Those who do so essentially grant the scammers access to their accounts.
The fallout so far
The financial losses from this attack—$1.2 million—are significant, and over 300 victims have been affected. Moreover, experts have warned that the number affected is still growing. Attacks like these have become increasingly frequent, emphasizing the need for the crypto community to use more advanced anti-phishing measures.
Suncor
When it happened
Suncor disclosed the incident on June 25; the attack likely occurred shortly before this.
What happened
Suncor Energy was hit by a cyberattack, impacting roughly 1,500 Petro-Canada gas stations. The attack disrupted the company's payment and loyalty reward systems, forcing the stations to operate on a cash-only basis.
Method of attack
Suncor provided few details in its press release. However, given the extended downtime of payment systems, there’s reason to believe ransomware was used.
The fallout so far
While Suncor said that most gas stations can now accept card payments again, this cyberattack was damaging. One expert said that it’s likely to cost the company millions of dollars. Reportedly, the attackers may have been linked to the Russian state. If true, this has troubling implications for Canada’s energy security.
TSMC
When it happened
June 29
What happened
The Russia-linked LockBit ransomware gang carried out an attack against the Taiwan Semiconductor Manufacturing Company (TSMC). The group is demanding a ransom of $70 million from TSMC.
Method of attack
LockBit reportedly accessed TSMC's sensitive data by breaching the systems of a third-party IT supplier, Kinmax. They were able to gain access to network entry points and password data for TSMC, which they are threatening to leak if the ransom demands aren’t met.
The fallout so far
The picture is still unfolding, but this looks like a significant supply-chain attack. TSMC is the world’s largest contract chipmaker, and Kinimax has hinted they may not be their only customer affected by the breach. This means that other tech firms like Microsoft, Citrix, and Cisco could also have been compromised.
Des Moines
When it happened
Des Moines confirmed details of the attack on June 19, but it happened on January 9.
What happened
Iowa’s largest school district, Des Moines Public Schools, confirmed that a ransomware attack forced it to take its IT systems offline in January. They also confirmed that they chose not to pay the ransom demanded and that the hackers exposed sensitive data.
Method of attack
Des Moines hasn’t disclosed how the hackers gained access to their systems. However, ransomware attacks usually involve cybercriminals gaining access to an organization's network, encrypting important data, and demanding a ransom to restore the data.
The fallout so far
As well as causing significant disruption to students’ education—the district was forced to cancel all classes for several days—the attack exposed the personal data of nearly 6,700 individuals. This attack is yet another example of the ransomware attacks plaguing the American education sector. According to Emsisoft, there were 89 ransomware attacks on the US education sector in 2022.
Eisai
When it happened
June 3
What happened
Eisai, a major Japanese pharmaceutical company, saw its operations disrupted and a number of its servers encrypted due to a cyberattack. The company was forced to take many of its IT systems offline to prevent the ransomware from spreading further.
Method of attack
The cybercriminals used a form of ransomware to encrypt some of Eisai's servers. However, the exact vulnerabilities exploited to get into Eisai's networks aren’t yet known, nor is the identity of the group responsible.
The fallout so far
The attack caused substantial disruption to Eisai's operations, with several systems—including logistics systems—taken offline. It’s still unclear what data was stolen and what kind of ransom is being demanded. This is not the first time Eisai has been a cyberattack victim, likely increasing the negative reputational consequences. In December 2021, a now-defunct ransomware group called AtomSilo attacked the company and reportedly leaked their data online.
Mondelēz
When it happened
The attack occurred in February, but Mondelēz began notifying affected individuals on June 15.
What happened
The sensitive personal data of over 50,000 current and former employees of Mondelēz International, the makers of Oreos, was exposed by a cyberattack. The attack didn’t hit Mondelēz directly but targeted their law firm, Bryan Cave Leighton Paisner. The compromised data includes employee dates of birth, Social Security numbers, and home addresses.
Method of attack
The exact method of attack, or whether a ransom was demanded, hasn’t been disclosed by Mondelēz or Bryan Cave Leighton Paisner.
The fallout so far
While Mondelēz confirmed that its own systems were not affected by the incident, the breach of 50,000 individuals’ sensitive personal data is a major blow—especially for the victims now at risk of identity fraud. The breach at BCLP is part of a broader trend of cyberattacks targeting major law firms. As these same law firms are often hired to defend their clients against lawsuits over cyberattacks, the embarrassment for those breached is likely greater.
United Parcel Service
When it happened
The data exposure happened between February 2022 and April 2023; UPS disclosed it in June.
What happened
United Parcel Service (UPS) revealed that they accidentally enabled some customers' shipping information to be openly accessible and that these customers were then targeted by a phishing campaign.
Method of attack
The attackers exploited UPS's package look-up tools to access delivery details, including recipients' personal contact information. This information was then used to target customers with text messages impersonating various companies, including LEGO and Apple. The fraudulent messages demanded payment before the delivery of a package.
The fallout so far
It’s not clear how many customers were successfully targeted by these phishing attacks (although we know they were carried out worldwide). However, the messages were quite convincing, increasing the risk of people falling prey. UPS was also criticized for an initial lack of transparency.
LetMeSpy
When it happened
The company disclosed the breach on June 21.
What happened
A hacker managed to gain access to data held by LetMeSpy, an app used to monitor thousands of Android phone users worldwide (usually without their consent). The breach allowed the attacker to access email addresses, phone numbers, location data, call logs, and message content collected on user accounts going back as far as 2013.
Method of attack
It isn’t clear exactly how the hacker breached the app. However, after gaining access, they reportedly seized control over LetMeSpy's domain and later published a copy of the hacked database online. They may also have deleted databases stored on LetMeSpy’s server.
The fallout so far
This a violation of the privacy of thousands of victims, many of whom may already have been victims of domestic violence, stalking, or other forms of coercion that the use of spyware is commonly associated with. It appears that the LetMeSpy app is no longer functioning. The identity of LetMeSpy's developer, Rafal Lidwin, was also exposed. He previously remained anonymous, likely due to the potential legal risks associated with covert phone surveillance.
US Patent and Trademark Office
When it happened
From February 2020 to March 2023; it was disclosed on June 29.
What happened
The US Patent and Trademark Office (USPTO) admitted to accidentally leaking the private addresses of around 61,000 individuals who filed applications with them. These addresses were exposed in public records and in datasets published online to assist researchers.
Method of attack
This was not an attack as such, but a prolonged data spill from the agency itself. However, we know that it was caused by an issue with one of its APIs.
The fallout so far
The API error that caused the data leak has been resolved, and the agency stated there's no reason to believe data has been misused. However, it can’t be stated with certainty that those whose data was leaked haven’t been targeted in some way.
Other News
ChatGPT accounts for sale
Group-IB researchers found that credentials for over 100,000 hacked ChatGPT accounts were being sold on dark web marketplaces until May 2023.
Minecraft malware menace
Cybercriminals have embedded "Fracturizer" malware in Minecraft packages and plugins, which can steal personal data and players’ cryptocurrency.
Big rewards for Chrome exploits
Google is offering up to $300,000 to researchers who can find full-chain exploits in their Chrome browser.
Most wanted: Cl0p gang
The US State Department is offering a large reward of up to $10 million dollars for information locating or identifying members of the notorious Cl0p ransomware gang behind the recent MOVEit Transfer hack (reported above).
Criminals caught
- The US DoJ charged two Russians, Alexey Bilyuchenko and Aleksandr Verner, with laundering 647,000 Bitcoins stolen from the now-defunct Mt. Gox crypto exchange in 2011.
- UK hacker Joseph James O’Connor, known for the 2020 Twitter hack, was sentenced to five years in US prison for cyberstalking and SIM-swapping-related cryptocurrency theft.
- Europol's investigation into EncroChat allowed them to intercept over 115 million criminal conversations. This led to 6,558 arrests, the seizure of 900 million Euros, and the prevention of various major crimes.
- Nikita Kislitsin, former head of network security for a top Russian cybersecurity firm, was arrested in Kazakhstan due to longstanding US hacking charges.
Vulnerabilities fixed
- Jetpack - a critical vulnerability in the Jetpack plugin for WordPress has been patched, having gone unnoticed for over 10 years.
- Big tech patches - Apple, Microsoft, Google, and other major tech companies have fixed vulnerabilities recently.
Government news
- Under a new CISA directive, federal agencies have 14 days to respond to reports about misconfigured or Internet-exposed networking devices, including firewalls, routers, and load balancers.
- The NSA released a guide to defending against BlackLotus bootkit malware attacks. This is to ensure system administrators are better prepared against what is still a serious threat.
