January 11, 2022

Monthly Breach Report: January 2022 Edition

Monthly Breach Report: January 2022 Edition

Cybercriminals don’t take holidays, and December 2021 only served as further proof of that. In fact, some research suggests that cyberattacks actually surge between the Christmas and New Years holidays, as both companies and individuals may have their guard down a little more than usual. Here’s how hackers took advantage to make December their own most wonderful time of the year.

Cyberattack Halts Utility Billing and Wipes out 25 Years of Data

Colorado electric utility Delta-Montrose Electric Association (DMEA) suffered a cyberattack on November 7 which halted customer billing for the 35,000-meter utility for over one month. DMEA officials expressed relief that the company’s electric grid was not affected and there was no breach of sensitive data in the company’s network. In a Nov. 29 update to its customers, the company stated the hack also resulted in a loss of 90 percent of its internal network functions, including phone and email systems, as well as the corruption of extensive customer billing data, “such as saved documents, spreadsheets, and forms.”

The company also reported it lost 25 years of historical billing data and is slowly rebuilding its network. The data loss highlights that “multiple redundancy of stored proprietary information is critical to ensure you meet or beat your recovery time objective,” notes online magazine UtilityDive. Electric utilities must engineer redundancy to avoid single points of failure and develop contingencies to minimize impact regardless of the nature of the incident, according to the Edison Electric Institute, a national association representing investor-owned utilities.

DMEA has not reported the attack as a ransomware incident, despite evidence to the contrary, according to CPO Magazine: “Ransomware attacks cause reputational damage to the victims, and many are hesitant to admit experiencing them. It will be interesting to learn the motive behind this attack if there are no ransom demands. Insider attacks motivated by revenge have had these hallmarks in the past.”


CG Energy Narrowly Avoids Russian Hacker Gang Attempt to Wipe out Electric Service to Millions

The notorious Russian hacker group Wizard Spider was recently thwarted within minutes of disrupting electric service to 3 million homes in Queensland, Australia. The attack targeted state-owned CS Energy’s two thermal coal plants and would have taken 3,500 megawatts of power off the electric grid, leaving millions in the dark. The company managed to stop the attack thanks to layers of separation and safeguards in its information communications technology (ICT) system. CEO Andrew Bills praised CS Energy’s IT team for quickly separating the corporate network from critical infrastructure, allowing for “continuity of power to Queenslanders.” As employees lost access to emails and other critical internal data, IT employees “quickly took further assertive action to physically separate the two environments.”

Active since 2016, Wizard Spider deploys a corpus of ransomware tools including Conti—which it used to gain initial access to CS Energy networks—TrickBot, Ryuk, and BazarLoader. The Australian Cyber Security Centre (ACSC) warns that Conti has targeted multiple Australian organizations since November. “Conti affiliates are known to implement the ‘double extortion’ technique by uploading stolen victim data obtained through the commission of the attack in part or full and threatening to sell and/or release additional information if their ransom demands are not met,” says the ACSC. As of press time, Conti has not leaked any CS Energy protected data.


T-Mobile Hacked for the Second Time in 2021

T-Mobile, the second largest mobile carrier in the US, suffered a small security breach in December, just months after a massive data attack last summer. This most recent leak is much less damaging than the August leak, which included nearly 50 million customers’ and prospective customers’ names, Social Security numbers, dates of birth, and drivers license numbers. Specific impacts of the December breach include one or both of the following:

  • A leak of CPNI – Data included billing account name, phone numbers, number of lines on the account, account numbers, and rate plan information.
  • SIMs swapped – The malicious actor changed the physical SIM card associated with customer phone numbers to obtain control of said number. This allowed access to the victim’s other online accounts being accessed via two-factor authentication codes sent to their phone number. T-Mo reports the SIM swap action has been reversed.

A 21-year-old American who claimed responsibility for the August attack told the Wall Street Journal that T-Mobile’s “security is awful.”  He boasted that after scanning T-Mobile’s known internet addresses for weak spots, he used an unprotected router to access millions of customer records. On August 4, after a week of scouring servers, the hacker lifted tens of millions of former and current customers’ data. One week later, the security research firm Unit221B LLC reported to T-Mobile that someone was reaching out to online criminals offering to sell T-Mobile customer data. As for the December attack, T-Mobile has not issued any information on the attackers or the full extent of the hack.


Hackers “Stop the Presses” of One of Norway’s Largest Media Companies

In December, cyber criminals literally stopped the presses of Amedia, one of Norway’s largest local news publishers. The company owns newspaper and magazine outlets in both Norway and Russia. Out of 100 newspapers, none of Amedia’s printed papers could go to press on Tuesday, December 28, for the next day’s editions. The hack also affected the company’s advertising and subscription systems, halting all new advertising and subscriptions. The company has assured the public that passwords, read history, and financial information has not been disclosed. It is unclear, however, if PII such as names, addresses, phone numbers, and subscription history of customers has been stolen.

The attack was but one of three carried out in a one-week period in Norway. The other two included:

  • On December 21, Nortura, Norway’s largest food producer, had its operating systems hacked, stopping, or slowing down most of its meat and egg production as well as stopping product deliveries
  • A Christmas Eve breach on the Nordland County Municipality’s network impacted school, clinic, and public transit systems. The minor attack temporarily affected some online public services.

As of press time, none of the companies have commented on who is to blame for recent attacks and there have been no reports of ransomware demands.


“Smart Contracts” Not So Smart: Hackers Steal $31M from Blockchain Startup

In December, a hacker stole $31 million in cryptocurrency from blockchain startup MonoX Finance by exploiting a bug in the software the company uses to draft its smart contracts. MonoX Finance is a decentralized finance (DeFi) platform that allows users to trade digital currency tokens without some of the requirements of traditional exchanges, namely “without the burden of capital requirements.” DeFi cuts out middlemen, such as banks and lawyers, from traditional financial transactions, like securing a loan. Customers use a digital wallet instead of keeping their money in a bank.

Instead of middlemen, companies like MonoX Finance use smart contracts, digital contracts stored on a public blockchain that are automatically executed when predetermined terms and conditions are met. Hackers used an accounting error built into the company’s smart contract software to inflate the price of the company’s MONO tokens and then cash out all the deposited tokens, to the tune of $31 million.

The hack points to a ubiquitous vulnerability in DeFi and smart contracts. Smart contracts work by following simple “if/when…then…” statements that are written into code on a blockchain. Cyber criminals have discovered that many developers do not define security properties for their code on a blockchain, leaving smart contracts vulnerable. NBC News reports that “21 percent of all hacks in 2021 took advantage of these [smart contract] code exploits.” The report notes that although there are third party firms that perform code audits and publicly designate which protocols are secure, many users still bypass this step. Overall, cryptocurrency theft rose 516 percent from 2020, to $3.2 billion worth of cryptocurrency taken overall. Of this total, 72 percent of stolen funds were taken from DeFi protocols.


Cyber Crime or Cyber Mistake? Password Manager Confuses Customers

LastPass, a popular password manager service, assures its users that there is no evidence of a data breach despite users receiving email notifications of unauthorized login attempts. The company initially blamed the notifications on credential stuffing, “fairly common bot-related activity, involving malicious attempts to log in to LastPass accounts using email addresses and passwords that bad actors sourced from past breaches of third-party services (i.e., not LastPass).” Soon after the emails went out, one customer posted in the Hacker News Forum, “LastPass blocked a login attempt from Brazil (it wasn’t me). According to an email I received from LastPass, this login was using the LastPass account’s master password. The email doesn’t look like it’s a phishing attempt.”

The company assured customers that none of their credentials were harvested by malware, rogue browser extensions, or phishing campaigns. The company did admit that after further investigation, some of the notifications were triggered in error by LastPass. But the company pointed to its use of a zero-knowledge security model, which means that LastPass does not store, have knowledge of, or have access to users’ Master Password(s). Although no data appears to have been breached, the incident is another reminder to fortify accounts with multifactor authentication.



Don’t let your business be in next month’s headlines. Protect your valuable data with the help of PK Protect. Request a personalized demo to find out how.

Share on social media
  • Data Breach Report: May 2024 Edition

    PKWARE May 29, 2024
  • Apr'24 Breach Report-01

    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements

    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024

    PKWARE March 8, 2024