High-profile ransomware attacks dominated 2022’s headlines. Patrick O'Connor explores 2023’s biggest cyber attacks and lessons we can all learn.
‘Prediction is very difficult, especially if it’s about the future,’ said Niels Bohr, the father of the atomic model and a Nobel Laureate.
When it comes to cyber security and predicting where and how attackers might strike next, Bohr’s words likely hold true. But, by looking back at the biggest cyber attacks of 2022 and 2021’s most dangerous cyber attacks, we can at least look for patterns and trends which might foretell how criminals could attack in 2023.
As you read on we’ll document the biggest and most famous cyber attacks of 2023 as they happen. We’ll offer some technical analysis, insight and, where possible, explore lessons that can be learned.
The Guardian Cyber Attack attack
On 20 December 2022, The Guardian newspaper in the UK was the subject of a ransomware attack. The immediate effect was to cause the company to ask staff to work remotely while internal systems were disconnected and triaged.
Even systems from the internal staff communication tools to the tills in the staff canteen were affected. Although the newspaper's print version appeared unaffected, insiders have since admitted that it was a close thing and required resorting to manual procedures in some cases.
As is customary in such circumstances, the initial announcement of the issue mentioned a ‘highly sophisticated cyber-attack involving unauthorised third-party access to parts of our network.’ We should reserve judgment on the level of sophistication until full details are published.
In truth, most intrusions result from human error, misconfigurations, phishing, or social engineering. This is then followed up with off-the-shelf malware packages or ransomware-as-a-service.
In this case, the organisation employed to investigate, KnowBe4, has identified that email phishing was the initial attack vector. It is understood that some staff information was accessed, perhaps as an inducement to pay whatever ransom was demanded, but details are still unavailable. It can be confirmed that The Guardian complied with the requirement to inform the UK Information Commissioner’s Office (ICO) within the required 72-hour window.
Also, on 20 December 2022, the Hospital for Sick Children (SickKids) in Toronto announced a ‘code grey’, which meant that it had experienced one or more system failures. This turned out to be another ransomware attack.
This attack is unique because the provider of the ransomware-as-a-service infrastructure, the LockBit Group, has publicly apologised for the attack. It blames one of its ‘partners’, a euphemism for a customer of its ransomware-as-a-service offering. LockBit has also provided unlock codes for the scrambled data. While this behaviour is unique, it is not entirely unexpected. Last year several dark web forums banned ransomware groups, fearing that their crimes would bring unwelcome attention from the FBI, NSA and Secret Service. Fortunately, the incident appears to have been contained to only a few internal systems, some phone lines and web pages.
It seems that the hospital’s systems weren’t all networked, preventing a worse incident from occurring. US authorities have estimated that LockBit has made more than $100 million through its ransomware activities, and clearly, they wish to preserve their business model and avoid close attention. It is not yet clear what effects the disruption will have to care, scheduled treatments and any impaired diagnostic capability for patients. Unfortunately, over 400 healthcare facilities have experienced cyber attacks since 2020. It is also often the case that their IT systems have below-par security.
The US grounded all flights following issues with a critical system operated by the Federal Aviation Administration (FAA) on 11 January 2023. Such was the level of disruption to air travel across the US that Transportation Secretary Pete Buttigieg was forced to consider the possibility that it was a result of a cyber-attack. To date, there is no evidence that this was the case. The FBI is investigating, but the fact that a cyber attack is considered a real possibility demonstrates the fragility of much of the western world’s critical infrastructure. It fuels a growing realisation that previously considered ‘nightmare scenarios’ may happen.
Retired Admiral James Stavridis commented: “The national airline stoppage may or may not be a cyber attack, but even if it is not, it certainly shows us what one could look like. Good wake-up call.”
John Hultquist, a former U.S. intelligence analyst now with private intelligence firm Mandiant, did not believe that the incident was a cyber attack but cautioned: “If you're looking for cybersecurity angles, I think it's this. We live in an increasingly complex, interdependent system prone to unforeseen consequences and cascading failures.”
With so many businesses appreciating the flexible benefits of cloud deployment, cloud providers have grown significantly in the past five years. However, all that computing resource has also attracted criminals who seek to exploit these vast oceans of processing power for their own ends. To entice potential customers, cloud providers often offer free periods to verify their functionality.
Criminal groups seek to profit by using such free offers to mine cryptocurrencies. This is often called ‘free jacking’ as groups will often sign up with fake IDs and stolen credit cards, enabling them to continue past the free period and ramp up their operation until the first bill becomes due or their stolen credit card becomes useless.
Also, since often these trials are for short periods, the groups employ quite sophisticated continuous integration/continuous deployment (CI/CD) techniques along with containerisation and other popular DevOps techniques with automation to the fore.
Unit 42, the Palo Alto Networks cyber investigation and research arm, uses the term ‘Play and Run’ for this activity. They have done some exciting research on one group involved in Automated Libra. They are the group behind a campaign called PurpleUrchin based in South Africa. Unit 42 reports that this single group created over 130,000 accounts on various cloud providers using automation during their campaign, which at its peak in November 2022, was creating three to five GitHub accounts every minute. It was also discovered that Automated Libra was using basic image analysis techniques to bypass the Captcha in these cloud provider systems. They identified GitHub as a favourite of the group as it was easier to create multiple accounts there, and their Captcha implementation was susceptible to image analysis attacks.
The Unit 42 investigation was published in January 2023. It traced Automated Libra activities back to 2019. They spread their movement across several cloud providers and crypto exchanges using 40 wallets and seven cryptocurrencies.
It was also discovered that the group were using CI/CD to constantly refine and improve their performance in the speed of account creation on each platform. This also enhanced Captcha exploitation and ways to increase the CPU time they could exploit before discovery for each platform.
Password managers are safe, right?
Password manager LastPass disclosed a breach in August 2022. That disclosure revealed that an intruder had access to archive data held on a third-party cloud region. Later in a blog from the CEO Karim Toubba, it was also admitted that data obtained from the initial attack was used to compromise another employee. Credentials and keys were stolen, enabling access to encrypted data on the third-party cloud region. While LastPass are at pains to stress that the security of a customer’s password data is dependent on their master password, which LastPass does not have access to, it remains the case that with access to a customer’s encrypted passwords themselves, an attacker could attempt to brute force them. This would depend on the strength of the master password selected by the user. Unfortunately, history and experience tell us that many master passwords are likely to be sub-optimal and liable to attack.
An unverified Tweet, quoted in Bruce Schneier’s Crypto-Gram newsletter, stated: ‘I think the situation at @LastPass may be worse than they are letting on. On Sunday, the 18th, four of my wallets were compromised. The losses are not significant. Their seeds were encrypted in my LastPass vault, behind a 16-character password using all character types.’
No firm conclusions can be drawn from this now as the Tweet is unverified, and the quoted 16-character password could be trivial, but it could also imply that LastPass’ systems are compromised in some way we’re not fully aware of. So no cause for immediate alarm, but another warning about the use of cloud resources. In the case of highly sensitive data, it is still safer to retain it in a personal computer, over which you have complete control, rather than entrusting it to a cloud provider or essentially ‘someone else’s computer’ over which you have limited or no actual control.
Royal Mail ransomware attack
It began in November of last year when the Emotet malware was detected on Royal Mail servers. Then in early January 2023, Royal Mail was subject to a ransomware attack by an affiliate using LockBit Ransomware-as-a-Service (RaaS). This attack affected a distribution centre near Belfast, Northern Ireland, where the printers began printing the ransomware gang’s demands.
The attack mainly affected international deliveries, and early advice was to use alternate carriers. The UK government declared Royal Mail part of the nation’s Critical National Infrastructure (CNI), so the National Cyber Security Centre (NCSC) and other UK agencies will likely become involved early.
Most LockBit users or affiliates will both encrypt data on the target servers and exfiltrate it so that they have two extortion levers. It is assumed that this happened with Royal Mail, although credible information is still sketchy.
Most information has been gleaned by checking the LockBit dark websites and forums where victims need to make payments or receive instructions.
Those behind the LockBit ransomware infrastructure approach their business like any in the legitimate community. They offer special promotions, advise customers on cyber security to avoid capture, and recently announced a significant new version of their software, LockBit 3.0.
Investigations will continue, but attribution and eventual capture for these attacks can be complicated and require significant resources, workforce and time to reach a successful conclusion.
Hive ransomware gang infiltrated and shutdown (for now)
The FBI proudly announced that it had won against the gang using the Hive ransomware. This was a successful international effort (as all these investigations must be) involving authorities from Germany, the Netherlands, UK’s NCA, Europol and likely others, alongside the FBI. The Hive ransomware has been around since 2021 and is offered as ransomware-as-a-service (RaaS), it is difficult to determine those behind its development and infrastructure. Those leasing the RaaS, called affiliates, used the standard double-extortion method of encrypting the data locally. They also exfiltrated it so they could threaten to publish and demand money for decryption. The classic split of profits is 80% to the affiliates and 20% to the RaaS providers.
According to Europol, this ransomware has been used to attack more than 1,500 companies in more than 80 countries worldwide.
Estimated losses to these companies total around $107 million.
The infiltration of the Hive infrastructure by authorities took place in mid-2022. They also collected decryption keys from the Hive servers as they gathered evidence. They could prevent at least $120 million from being paid to the attackers before shutting down the operation. It surprised the authorities to discover that the servers hosting the RaaS were located in California.
While this undoubtedly reflects success in the battle against such gangs, there have been no arrests. It will surely take little time for the gang to re-emerge with a new infrastructure.
As we know, cyber crime groups are always on the lookout for new avenues of attack. Phishing and other means of credential theft remain the most popular — but supply chain attacks, where the identified weakness is a peripheral part of the organisation’s main activity, can be insidious and highly effective. What more tempting target for a cyber criminal than software that manages secure movement of files?
The MOVEit software, marketed by Progress Software Corporation, was exploited in this way. The Cl0p Russia-linked ransomware group (also known as TA505) claimed responsibility. The American Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on June 7th, in which it they describe how the Cl0p group exploited ‘CVE-2023-34362’, a previously known SQL injection vulnerability. This meant that internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases.
Information varies on the exact number of organisations affected by the MOVEit exploit as victims are still being uncovered. Some reports now put the total at over 2000 organisations, affecting more than 60 million individuals. Concerted efforts from Progress and others meant the issue was patched by mid-June.
Caesars Scattered Spider attack
Caesars Entertainment, the self-proclaimed ‘largest U.S. casino chain with the most extensive loyalty program in the industry’ had its database of loyalty customers stolen. The problem was noticed on September 7th and Caesars immediately filed form 8-K with the US Securities and Exchange Commission to report the attack. Caesars also stated, ‘We have no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor.’
It also appears that Caesars paid a ransom of around $15 million to avoid publication of the stolen data. The ransomware gang had originally asked for $30 million. Bloomberg later reported that the breach was by Scattered Spider, a cybercrime group also known as Roasted 0ktapus and UNC3944. Caesars later published more details describing that the breach occurred through social engineering on an outsourced vendor used by the company. Having paid the ransom, Caesars cannot guarantee to their loyalty customers that their data is not at risk and are now scanning darknet sites, promising to alert customers if their data is discovered and offering complimentary giveaways and free services to customers to protect their data in the future.
Microsoft has described how Storm-0558, a Chinese hacking group, obtained a Microsoft account (MSA) consumer key which enabled it to forge tokens that allowed them to access OWA and Outlook.com accounts from around 25 organisations.
They acknowledge that this group is almost certainly state-sponsored and has espionage as the goal. It seems the problem was first brought to Microsoft’s attention on June 16th by a customer who noticed unusual access to Exchange Online.
Be part of something bigger, join BCS, The Chartered Institute for IT.
The attacker was forging Azure AD tokens using the MSA consumer key. Once this was discovered all active MSA keys were invalidated. It is known that a number of US Government Departments were affected by this exploit, but neither Microsoft nor the US Government have released any further details. It is also not confirmed how long the attackers had access before the breach was accidentally uncovered.
More recently security researchers at Wiz have shown how the forged tokens could have been used to exploit other Microsoft services, including SharePoint, Teams, OneDrive, and other customers’ applications that support the “login with Microsoft” functionality, plus multi-tenant applications in certain conditions.
The Wiz analysis has been checked by experts, including former NSA technicians, but Microsoft remains convinced that only Outlook.com and Exchange Online were affected. Perhaps more will emerge over time.
The UK Electoral Commission
On the 8th August 2023 the UK Electoral Commission issued a public notification that its database had been breached and the personal data of approximately 40 million people exposed. The incident was identified in October 2022.
Amongst the possible data exposed, the Commission lists:
- Personal data contained in email system:
- Name, first name and surname
- Email addresses (personal and/or business)
- Home address if included in a webform or email
- Contact telephone number (personal and/or business)
- Content of the webform and email that may contain personal data
- Any personal images sent to the Commission
- Personal data contained in Electoral Register entries:
- Name, first name and surname
- Home address in register entries
- Date on which a person achieves voting age that year
The Commission first described the attack as ‘a complex cyber-attack’ but as we have seen repeatedly this is often the preferred wording to minimise any blame attaching to the organisation exploited. In this case a whistleblower informed the BBC that the Commission had failed a Cyber Essentials audit at around the time of the breach. Security researchers uncovered an unpatched Microsoft Exchange Server, vulnerable to the ProxyNotShell attack at the time of the intrusion.
The Cyber Essentials scheme is a government backed program run in conjunction with the National Cyber Security Centre (NCSC) which simplifies basic security to five controls to enable easy adoption by organisations. It provides a level of security that all organisations should have as an absolute minimum. As of August 2023, the Commission confirmed that the UK Electoral Commission had still not passed.
Indonesian Immigration Directorate General
In July the passport records of a reported 34 million Indonesian citizens were stolen from the Indonesian Immigration Directorate General. The theft, according to security researcher Taguh Aprianto, was perpetrated by a hacktivist called Bjorka. Unusually for a hacktivist incident, the data is apparently up for sale for $10,000 on the dark web. The data contains full names, genders, passport numbers, dates of issue, expiry dates and dates of birth.
Of course, this is important data for identity theft and the country is bracing itself for the inevitable rash of scams. The communications ministry has urged all data processors to abide by the provisions of the Personal Data Protection (PDP) law passed in October 2022.
Indonesia has reported more than 90 data breaches in 4 years and the National Cyber Security Index (NCSI), a measure of a state’s cyber security readiness in comparison to other states, places them a lowly 84th.
23andMe Data Leak
In early October 2023 the genetic testing company 23andMe disclosed that data on potentially millions of its customers had leaked. This data has been found on the BreachForums site but it was not exfiltrated due to a system intrusion in the accepted sense. Initial access was gained by hackers to a number of legitimate accounts on the 23andMe system through credential stuffing attacks (where credentials from one site are tried on others). Data on other individuals was collected using an option on the site to search for ‘DNA Relatives’.
Significantly, the 23andMe site contains considerable amounts of DNA data on Ashkenazi Jews, and hundreds of thousands of Chinese people too.
Whoever is responsible for collecting the data has begun attempting to sell it online. They are charging $1 to $10 per account, which contains data such as name, sex, birth year and some details about genetic history. It does not seem that raw DNA data has been leaked.
While this recent data leak is neither a serious or novel intrusion from a technical standpoint, nor a massive data leak in sheer volume, it is significant as it indicates companies keeping sensitive data like DNA profiles could become focused targets in the future.
Brett Callow, a threat analyst at Emsisoft, says, ‘this incident really highlights the risks associated with DNA databases. The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.’
In mid-September, a security hole was noticed at DarkBeam, a cyber risk protection company. It seems an Elasticsearch and Kibana interface was left open, exposing user email and password pairs for both previously declared and undeclared intrusions. The issue was first spotted by Bob Diahechenko, CEO of SecurityDiscovery, who believes that more than 3.8 billion records were exposed. Needless to say the issue was immediately dealt with, but it is not known if any bad actors noticed the problem before Diachenko.
If this data has been lifted by criminals it could provide a huge trove of nicely organised data to form the basis of an enormous phishing campaign. The potential loss of data such as this should remind us to frequently check whether any of our accounts have been compromised by using services such as https://haveibeenpwned.com/
While this ‘incident’ may amount to no threat at all, it serves as a reminder. All companies collecting large amounts of user data must continually monitor and tighten their security. We, as individuals, can try to protect our data and use good OPSEC habits, like different passwords for each site etc., but we do rely on companies to do their utmost to look after our personal information. Whilst it is trivial to change passwords when it comes to other personal data like: name, address, tax ID, social security number (US), National Insurance number (UK), bank account details, age, sex, medical data, it can be difficult if not impossible to change. Identity theft is only likely to become more of an issue for more people as the sheer volume of data circulating on the dark web continues to increase and that data is mined to associate it with individuals.
As 2023 draws to a close, is there anything we can learn from a cyber security perspective?
Once the dust settles on the year and figures emerge, which is usually in the first quarter of the following year, it will likely show that familiar trends continue. Ransomware is still the principal moneymaking activity for cyber criminals. This means all the advice around system backups, maintaining fully patched software, educating the workforce to recognise social engineering in all its forms and a fundamentally security-focused outlook are still of vital importance.
Phishing and other forms of social engineering are still the most likely initial points of entry for bad actors. The increasing use of machine learning (or artificial intelligence if you prefer) to spot suspicious activity is a welcome advance and these systems continue to improve.
Reviewing third-party providers of software or services should also be both a priority and an ongoing process. The MOVEit breaches and others like it should make this obvious.
Reviewing your company’s protocols for dealing with not only a basic security breach but a full blown ransomware attack should be a priority. Reporting or disclosure procedures, involvement of insurance companies, facilities for emergency assistance for triage or complete forensic investigations should all be documented and understood by frontline staff.
As with any emergency, speed and understanding what immediate actions to take — and what not to do — to preserve evidence, could make the difference between a quickly contained breach and a lengthy struggle with untold consequences, both financial and reputational.
Enjoy the mysteries of the technological age? You can find Patrick O’Connor’s new book Bisentient here.