The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
top NEWS stories this week
- Recent cyber attacks. The Works, Iberdrola, and Nordex among the latest commercial victims.
- Phishing campaigns. WhatsApp and Mailchimp leveraged in latest phishing campaigns.
- Exploiting the Ukraine conflict. Threat actors capitalise on the Ukrainian conflict.
- Relentless Anonymous. The hacktivist group continues its Russian campaign.
- Gazprom suffers. The Russian gas provider becomes the latest victim of critical infrastructure attacks.
- MSPs targeted. Chinese APT group targets global managed service providers (MSPs).
1. THE WORKS, IBERDROLA, AND NORDEX ALL UNDER ATTACK
- Spanish energy giant Iberdrola, the parent company of Scottish Power, suffered a cyber attack that led to a data breach affecting 1.3 million customers. Customer information accessed included ID numbers, home and email addresses, and phone numbers. Actors could leverage this information in tailored phishing campaigns to obtain financial information.
- Hackers infiltrated the computer systems of the stationery and books retailer The Works, resulting in the closure of five stores, the suspension of new stock deliveries, and delays to online deliveries.
- Wind turbine manufacturer Nordex Group shut down its global IT systems after being hit by a cyber attack last week.
Avoiding legacy software, mandating secure data storage configuration, and network segmentation are a few methods to help reduce the risk of suffering from a data breach.
2. PHISHING CAMPAIGNS
- A new email phishing campaign has appeared that allegedly contains an official WhatsApp voicemail. When a victim plays the message, they are redirected to a page that attempts to install credential-harvesting malware. Research suggests that the emails originate from a domain associated with the Russian Ministry of Internal Affairs.
- Email marketing service MailChimp fell victim to a social engineering attack in which a MailChimp employee unwittingly provided credentials to a threat actor. As a result, the actor was able to access certain MailChimp accounts and mailing lists, and launch phishing campaigns employing the MailChimp infrastructure.
SO WHAT?Phishing methods are constantly evolving, with negligent employees a key target for many organised criminal groups. Conduct regular security awareness training and simulated phishing tests to upskill your employees.
3. THREAT GROUPS CAPITALISE ON THE UKRAINE CONFLICT
- Advanced persistent threat (APT) groups El Machete, SideWinder, and Lyceum have launched Ukraine-themed phishing campaigns on organisations across the energy, financial and government sectors. One campaign, orchestrated by Lyceum, sends phishing emails with a fake link that supposedly directs the reader to information about Russian war crimes in Ukraine. Upon clicking the link, data harvesting malware is dropped on the victim’s machine.
- Financially motivated actors have set up phishing websites that spoof charity organisations supporting Ukrainian victims. For example, the fake site Ukrainehelp[.]world claims an association with UNICEF and that donations will support Ukrainian children affected by the conflict. So far, over USD 850,000 has been stolen by the actors behind the site.
SO WHAT?Threat actors often exploit major events to create a sense of urgency in their social engineering attacks. Organisations should also continue to pay careful attention to communications relating to the Ukraine conflict.
4. ANONYMOUS CONTINUES ITS OFFENSIVE
- The hacktivist group Anonymous claims to have breached, and exfiltrated data from, the Russian Orthodox Church and Marathon Group, the latter being an investment firm owned by the sanctioned son-in-law of Russian Foreign Minister Sergei Lavrov.
- The group also announced the leak of the personal data of around 120,000 Russian soldiers fighting in Ukraine, including their dates of birth, addresses, and passport numbers.
- The Anonymous-affiliated group Network Battalion 65 allegedly breached the All-Russia State Television and Radio Broadcasting Company (VGTRK), a state-owned media organisation that forms a central part of the Kremlin’s propaganda drive. The group subsequently published over 900,000 emails allegedly exfiltrated during the breach.
SO WHAT?Although some may applaud the work of Anonymous, the extent of their data exfiltration highlights the constant need for organisations to review and harden their cyber security programme and ensure sensitive data is stored in secure and isolated locations.
5. RUSSIAN GAS PROVIDER GAZPROM TARGETEDThe Russian gas supplier Gazprom allegedly experienced a network attack on a control system, causing two pipelines to rupture. Although unconfirmed, responsibility for the attack is being attributed to the Main Directorate of Intelligence at the Ministry of Defence of Ukraine.
Gazprom is yet another organisation associated with Russian critical infrastructure that has been targeted with attacks since the invasion of Ukraine.
6. MANAGED SERVICE PROVIDERS UNDER ATTACK
The Chinese APT group Cicada is allegedly attacking managed service providers (MSPs) worldwide. MSPs are attractive targets to threat actors as they often hold privilege access to their clients’ infrastructure. The primary motivation of the group appears to be espionage, with end targets typically limited to government agencies, legal and religious organisations, and NGOs.
Vetting your MSPs’ security postures should be a foundational aspect of your organisation’s security governance programme.