Monthly Breach Report: March 2022 Edition
Any hopes that cyber attacks would slow down in 2022 have been crushed as attacks targeting a wide range of prominent organizations continue to hit the news. From the new threats of cyber warfare to financial institutions, here are some of the top cyber attacks seen last month.
Russian Cybercriminal Group Continues the War Against Ukraine
For weeks before the Russian invaded Ukraine, the Microsoft Threat Intelligence Center warned there were several attacks on Ukraine’s government-run, non-profit, and information technology organization’s websites. In January, the center reported, government agency websites were hijacked, and content was replaced with the statement which roughly translates to:
Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.
In February, as Russian forces began amassing at Ukraine’s border, a massive Distributed Denial of Service (DDoS) attacked the websites of the country’s military services and two biggest national banks—Privatbank and Oschadbank—according to a recent report by The Record. The military’s sites were rendered inaccessible and the.banks’ mobile apps and online payment services could not be used.
Palo Alto Networks Unit 42 has identified the Russian advanced persistent threat (APT) group Primitive Bear/Gamaredon as one of the main perpetrators of these persistent attacks. Unit 42 began tracking Primitive Bear in 2013 and reported earlier this year they had “mapped out three clusters used in campaigns that link to over 700 malicious domains, 215 IP addresses, and a toolkit of over 100 malware samples,” according to ZDNet. In a recent blog post, Unit 42 noted that mappings in mid-February uncovered hundreds more domains and clusters. One of the cybercriminal group’s main modes of attack is to locate a company’s job board site and then upload a resume to the job application platform. The resume is infected with malware.
Primitive Bear began actively targeting Ukraine last year using the same method of infecting .docx documents, says threat research group Anomali in a blog post. Through phishing, the cybercriminals infected legitimate .docx documents with malware, decoys written mostly in Ukrainian that stated the names of specific individuals and entities in the files that made the infected documents appear more legitimate. “The group likely procured them through illicit purchase or previous compromise,” said Anomali. Just like Unit 42, Anomali has discovered “hundreds more Gamaredon-related domains, including known related-clusters, and also new clusters.”
BlackCat Attacks One of World’s Largest Energy Supply Companies
The infamous BlackCat ransomware group has struck again. In early February, they attacked one of the world’s largest energy supply companies, the German group, Marquard & Bahls. The attack disrupted the IT systems of the group’s oil company, OilTanking, and its mineral oil trade dealer, Mabanaft. OilTanking operates 13 terminals in Europe and provides clients such as Shell with oil storage facilities and related services. Shell announced it is now rerouting supplies to other storage, the company told Reuters. The attack has disrupted operations for about 200 gas stations in Germany. The company has not disclosed any financial demands made by BlackCat.
The BlackCat ransomware gang, which recently emerged last November, is thought to be based in Russia and consists of former members of the BlackMatter/DarkSide group, the group accused of the attack on the Colonial Pipeline Co. last year. The ransomware group calls itself ALPHV, but security research group MalwareHunterTeam named it BlackCat “because of the image of a black cat used on every victim’s Tor payment page.”
Private Video and Audio Meetings Exposed on Civicom’s B2B Conference Service
In February, New York-based Civicom, a B2B web conference and market research provider, left 8 terabytes of highly confidential customer information exposed to the public. The company—which also provides transcription services, mock jury trials, and virtual administrative assistance—has a client base that includes large international companies such as ThermoFisher Scientific, CBS, and Ipsos. Compromised files containing hundreds of hours of video of recorded meetings and conversations as well as market research were open to hackers.
The data was exposed due to a misconfigured simple storage service (S3) bucket on Amazon’s cloud storage service, according to the ethical security research team, Website Planet. The bucket exposure was the customer’s fault, said Website Planet. The group identified the problem on October 30, 2021, though Civicom did not secure the leak until January 26, 2022. The company stated to Website Planet that “there was no evidence that the S3 bucket was breached by bad actors while the vulnerability existed.”
Exposed data included:
- thousands of hours of video and audio recordings of private meetings and conversations
- written transcripts
- employees’ full names and photos
- videos of meetings
Within these exposed meetings and transcripts, both trade secrets and intellectual properties could have been leaked. “The content of the server suggests business espionage and sabotage is the number one risk factor for exposed Civicom clients,” said Website Planet in an online blog post.
Information leak Exposes Credit Suisse with Possible Ties to Money Launderers and Drug Traffickers
A whistleblower from the bank Credit Suisse leaked data on $100 billion held by 18,000 clients from around the globe. The data was sent to the German newspaper Süddeutsche Zeitung. Close to 50 media organizations have been combing through the data for months, according to a report by BBC News. The investigations suggest that the international bank has long supported clients engaged in money laundering, torture, and drug and human trafficking.
The BBC reports the whistleblower leaked the records over a year ago, claiming an objection to Swiss banking secrecy laws: “The pretext of protecting financial privacy is merely a fig leaf covering the shameful role of Swiss banks as collaborators of tax evaders.” The Guardian reports some of the leak includes client information on such criminals as:
- A human trafficker in the Philippines
- A Hong Kong stock exchange boss jailed for bribery
- A billionaire who ordered the murder of his Lebanese pop star girlfriend
- Executives who looted Venezuela’s state oil company
- Corrupt politicians from Egypt to Ukraine
- A Vatican-owned account used to spend €350 million in an allegedly fraudulent investment in London property that is at the center of an ongoing criminal trial of several defendants, including a cardinal
Credit Suisse has pushed back on the media’s conclusions drawn from the leak, stating, “. . . the accounts of these matters are based on partial, inaccurate, or selective information taken out of context.”
Keep your organization out of the breach headlines with comprehensive cybersecurity solutions from PKWARE. See it in action now by requesting your free personalized demo.