The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
top NEWS stories this week
- Recent cyber attacks. Toyota, Nvidia, and Aon fall victim to cyber attacks.
- Russia and Belarus under cyber fire. Hacktivists and a Ukrainian volunteer cyber army target Russia and Belarus.
- Conti leaks. Conti threatens attacks and subsequently suffers a data leak.
- The rise of wiper malware. A third wiper malware strain appears as CISA and the FBI warn of wiper attack spill-overs.
- Russian-themed phishing. A new phishing campaign capitalises on the Russia-Ukraine conflict.
1. Recent cyber attacks
- Car manufacturer Toyota was forced to close all 14 of its Japanese factories on Tuesday following a cyber attack on Kojima Industries, one of its critical suppliers. These factories represent a third of Toyota’s global production, producing roughly 13,000 vehicles per day. Toyota resumed operations on Wednesday. No threat actor has claimed responsibility for the attack.
- US technology company Nvidia, one of the largest graphics processing chip manufacturers globally, disclosed a data breach after suffering a Lapsus$ cyber attack last week. The ransomware group reportedly stole 1TB of sensitive data, including employee credentials and proprietary company information, and has begun leaking it online.
- Aon, a global insurance broker, experienced a cyber attack last weekend. Fortunately, the incident only affected a “limited” number of systems and has not caused any significant disruptions to the company’s operations.
Cyber attacks often involve significant operational costs. If data exfiltration occurs during an attack, regulatory and legal costs may also arise. Organisations must ensure they implement a comprehensive security programme to defend against attacks, paying particular attention to how sensitive data is stored in their environments.
|In Focus: Russia and Ukraine|
In addition to the news below, we’ve prepared an in depth analysis of the cyber threat landscape and advice on how organisations can prepare their defences. READ IT HERE.
2. Russia and Belarus under cyber fire
In response to the ongoing crisis in Ukraine, Russia and Belarus are increasingly concerned about being targeted with retaliatory cyber attacks.
- The Russian government issued warnings about possible cyber attacks aimed at its critical infrastructure.
- Ukraine’s Deputy Prime Minister and Minister for Digital Transformation announced the creation of a volunteer cyber army, which has since received more than 175,000 sign-ups. Volunteers are being asked to launch distributed denial of service (DDoS) attacks against certain Russian and Belarusian websites.
- The hacktivist group Anonymous claimed to have breached the Russian space agency Roscosmos, disabling the agency’s access to its spy satellites. The group also claimed responsibility for disrupting a gas supply in Russia operated by the Russian state-owned company Tvingo Telecom.
- The hacktivist group Cyber Partisans launched a second cyber attack against Belarusian state-owned railway services in an attempt to disrupt the transport of Russian troops to Ukraine.
Retaliatory cyber attacks against Russia and her ally Belarus will likely increase as the conflict continues and more hacktivists join the cause. Attacks would likely target government entities, although private organisations associated with critical Russian and Belarusian infrastructure may also be targeted.
3. Conti makes threats and suffers a data leak
The Conti ransomware group recently announced its full support of the ongoing Russian invasion of Ukraine and threatened to target the critical infrastructure of Russia’s enemies. The group later clarified that they do not ally with any government and condemn the ongoing war but are nevertheless willing to use their full capacity to launch retaliatory attacks against “Western warmongers” targeting civilian infrastructure in Russian-speaking regions.
Shortly afterwards, files relating to the Conti operation were leaked online. Amongst the leaked information were thousands of messages exchanged between Conti and ransomware operators alongside source code for the Conti ransomware and other detailed information regarding the group’s infrastructure.
The leaked Conti information may provide valuable insights into the group’s operation although could provide less experienced threat actors a guide to establishing their own ransomware operations. Furthermore, while Conti’s actions may endear the group to the Russian government, increasing their strength in the longer term, their political stance increases the likelihood of them becoming subject to sanctions in the near future.
4. The rise of wiper malware
Data-wiping malware IsaacWiper was discovered on Ukrainian devices following Russia’s invasion of Ukraine on 24 February 2022. This is the third notable data-wiping malware strain to be deployed against Ukraine. On 23 February 2022, HermenticWiper was discovered on devices belonging to Ukrainian organisations and contractors based in Lithuania and Latvia working for the Ukrainian government. On 13 January 2022, Whispergate was discovered on Ukrainian devices.
In response to the growing use of data-wiping attacks against Ukraine, CISA and the FBI warned US organisations of the potential for such attacks to spill over to organisations in other countries.
To defend against data-wiping malware, organisations should maintain heightened vigilance and be prepared to respond to an incident quickly. It is imperative that viable backups are stored in a secure and isolated location.
5. Russian-themed phishing emails target Microsoft usersA new phishing campaign attempts to capitalise on the Russia-Ukraine conflict by sending fake email notifications to Microsoft users warning that their account has been accessed from Russia. Recipients are told to click a report button contained within the email if the Russian access is unauthorised, which generates an email template with a fake Microsoft recipient address. It is likely that if an individual sends this new email, they will receive further emails from the threat actor with the aim of harvesting credentials or financial information.
SO WHAT?Threat actors like to capitalise on major world events when launching social-engineering attacks, leveraging existing interest and fear amongst people. As always, organisations should provide staff with regular training on how to identify phishing messages and conduct occasional simulated phishing tests to identify potential areas for improvement.