header image

Cyber Intelligence Briefing: 25 March 2022

Roddy Priestley, Kyle Schwaeble 25 March 2022
25 March 2022    Roddy Priestley, Kyle Schwaeble


Today's fast-changing threat landscape puts increased pressure on companies to make the right investment choices and improve their cyber resilience. For this report, S-RM surveyed 600 senior leaders and IT decision makers to discover which cyber investment areas provide the best value for money and what savings result from investing in cyber security.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

top NEWS stories this week

  1. Microsoft and Okta breached. Lapsus$ continues its explosive work and the leader is seemingly exposed.

  2. Government warnings. The US and UK governments warn of retaliatory Russian cyber attacks.

  3. Major Russian meat processor gets a grilling. More collateral amid the Russia/Ukraine hybrid war.

  4. London leak. Personal data of 43,000 Londoners leaked.

  5. TransUnion attack. South African branch of credit reporting agency division hit with ransomware.

  6. Facestealer trojan. A new piece of Android malware infects over 100,000 devices.

1. Microsoft and Okta breached

Hacking group Lapsus$ has quickly established itself as a key player in the cyber threat landscape following attacks against several high-profile victims, including Impresa, Nvidia, Samsung, Vodafone, and Ubisoft.

This week, two additional victims were added to the group’s list:

  • Lapsus$ claimed to have breached a Microsoft repository and published 37 GB of data containing the source code of over 250 Microsoft projects, including Bing and Cortana, as well as code-signing certificates. Other threat actors may now examine this source code to identify vulnerabilities, and code-signing certificates may be used to disguise malware as legitimate. Microsoft has since confirmed the breach.
  • The threat group also claimed to have obtained administrative level access across various systems belonging to Okta, an identity and access management company that provides software solutions such as single sign-on and multi-factor authentication. Okta’s Chief Security Officer later confirmed the incident and stated that “approximately 2.5 percent” of Okta’s customers may have had their data “viewed or acted upon”.

However, with all this noise, researchers investigating the Lapsus$ attacks have seemingly been able to identify the leader of the group: a teenager living with his mother in Oxford, England. However, law enforcement is yet to make any arrests in connection with Lapsus$.



Lapsus$ has been prolific since the start of this year. Because of their high-profile victims and boastful approach, we assess it unlikely that the group will operate for much longer. However, Lapsus$ remains a threat alongside other extortionist groups. Organisations should employ data loss prevention solutions, ensure employees are trained to identify social engineering and phishing attempts, and confirm that backups are isolated, secure, and tested.



2. Increased threat of Russian cyber attack

On 21 March, the US government warned of “evolving intelligence” that the Russian government is preparing a large scale cyber operation targeting Western organisations. Such an operation would likely be in retaliation for severe sanctions imposed against Russia by Western governments. The warning follows an FBI bulletin that noted “abnormal scanning” activity of five US energy companies alongside a further 18 US firms from other sectors, including defence and finance. The scans were initiated from Russia-based IP addresses the FBI believes to be associated with previous destructive cyber attacks conducted against critical infrastructure.

Shortly after, the UK National Cyber Security Centre (NCSC) issued a statement supporting the White House’s warning. Organisations were told to remain vigilant to cyber risks and to follow advice previously published by the NCSC.



As economic sanctions become more severe, the Russian government may be more inclined to launch retaliatory attacks. Although attacks would likely focus on government and private organisations associated with critical infrastructure, there is the risk of spill over and all companies should remain vigilant and ensure they harden their cyber security posture.



3. Threat actors cook up a storm for Moscow-based meat processor

One of Russia’s largest food suppliers has fallen victim to a cyber attack this week. Moscow-based meat processor Miratorg Agribusiness Holding suffered a cyber incident that resulted in the encryption of its IT systems using the Windows BitLocker tool. The company claims the attack is an act of sabotage, rather than financially motivated, as no ransom demand has been received.



Organisations operating in Russia and Belarus currently face a heightened risk of being targeted by hacktivists opposed to the invasion of Ukraine, even if they don’t publicly align themselves politically. For example, earlier this week, the hacktivist group Anonymous gave western organisations 48 hours to cease their operations in Russia if they are to avoid targeting.



4. Over 40,000 London voters have their data leaked

The electoral services department of Wandsworth Council in South West London erroneously sent 43,000 emails to the wrong individuals. Each of these emails contained personal information of the intended recipient, including a full name and registered voting address.



Organisations must ensure that personal information is handled appropriately. Mishandling such data can result in reputational, legal, and regulatory costs.



5. TransUnion attack

Credit reporting agency TransUnion’s South African division suffered a ransomware attack by the Brazilian threat group N4ughtysecTU. The threat actors claim to have exfiltrated sensitive personal data affecting around 54 million customers and demanded a USD 15 million ransom.



Customers of organisations that suffer data breaches should be extra vigilant for phishing attempts.



6. Another Android trojan threat

Over 100,000 Google Play users have installed the mobile app Craftsart Cartoon Photo Tools, a trojan that contains a version of the Facestealer spyware. Upon installation, the app directs the victim to log in to their Facebook account, then harvests all credentials inputted, ultimately granting the threat actor access.



Android devices should be secured with Google Play Protect alongside an anti-malware solution and applications should only be downloaded from reputable sources. Individuals should also be particularly wary of apps that require the user to sign-in to a social media account.


Cyber Intelligence Briefing

To discuss this article or other industry developments, please reach out to one of our experts.

Roddy Priestley
Roddy priestley Director, Cyber Security Email Roddy
Kyle Schwaeble
Kyle schwaeble Senior Analyst, Cyber Security Email Kyle


We reveal the challenges faced by C-suite professionals and senior IT leaders across three key areas of cyber security – budgets, incidents and insurance.

Download Report