According to data released by Check Point Research, the number of cyber-attacks recorded globally in 2022 was nearly two-fifths (38%) higher than the total volume observed in 2021. Attacks peaked in the fourth quarter of 2022, with an average of 1168 weekly attacks per organisation. The sectors most affected by cyber-attacks were education/research (2314 average weekly cyber-attacks), government/military (1661), and healthcare (1463). The highest volume of attacks was recorded in Africa (1875 weekly attacks per organisation), followed by Asia-Pacific, Latin America, Europe, and North America.
Check Point Research also indicated several trends observed during 2022: (a) the ransomware ecosystem continuously evolving, with smaller and more agile criminal groups; (b) hackers widening their aim to target business collaboration tools such as Slack and Teams with phishing exploits; (c) academic institutions becoming a popular target for cybercriminals.
US-based cyber threat intelligence research team Check Point Research (CPR) found that cybercriminals have been using the artificial intelligence-based tool ChatGPT for malicious purposes. The team described three examples of such misuses of ChatGPT:
- Recreating malicious strains and techniques described in research publications and write-ups about common malware.
- Creating encryption tools
- The second thread is found to perform cryptographic combinations of different signing, encryption, and decryption functions.
- Creating dark web marketplaces.
As CPR notes, although the examples given in the report are relatively basic, ‘it is only a matter of time until more sophisticated actors enhance the way they use AI-based tools for bad’.
Iran’s Infrastructure Communications Company announced on 6 January 2023 that it had prevented a cyberattack on the country’s central bank. Amir Mohammadzadeh Lajevardi, head of the company, was quoted by local media as saying that the bank was targeted by a distributed denial of service (DDoS) attack. In October, Anonymous and other global hacking groups threatened to launch cyberattacks against Iranian institutions and officials in support of anti-government protests and to thwart internet censorship in Iran.
A report by Reuters indicates that Russian hackers affiliated with the Callisto (Cold River) group targeted three US nuclear research laboratories during the summer of 2022.
The hacking team targeted the Brookhaven, Argonne, and Lawrence Livermore National Laboratories, created fake login pages for each lab, and then emailed scientists with the intent of stealing their passwords.
Reuters did not determine why the three labs were targeted or if the attempted intrusions were successful. Neither of the three labs responded to requests for comments.
US-based cyber threat intelligence research team Check Point Research (CPR) identified cybercrime campaigns orchestrated by the threat group APT-C-36 (also known as Blind Eagle) in recent months. According to CPR, Blind Eagle is a financially motivated group that has been coordinating attacks against citizens across South America since 2018.
In one example of a recent campaign, Blind Eagle has been sending phishing emails to citizens pretending to be from the Colombian government. Essentially, these emails threatened citizens with facing problems when leaving the country if certain bureaucratic matters were not settled. In another campaign targeting Ecuador-based organisations, the group used an advanced toolset to coordinate a new infection chain.
CPR characterised Blind Eagle as a ‘strange bird among APT groups’: ‘Judging by its toolset and usual operations, it is clearly more interested in cybercrime and monetary gain than in espionage; however, unlike most such groups that just attack the entire world indiscriminately, Blind Eagle has a very narrow geographical focus, most of the time limited to a single country.’
The Guardian newspaper revealed that it was subject to a ‘serious IT incident which is believed to be a ransomware attack’. The problem started late at night on 20 December 2022 and impacted elements of the company’s IT infrastructure and behind-the-scenes services. Online publishing was largely unaffected.
Most staff was required to work from home for the remainder of the week unless otherwise notified.
US cybersecurity company Palo Alto Networks’ Unit 42 (a threat intelligence group) issued a report outlining continuous operations by the advanced persistent threat (APT) group Trident Ursa – a group attributed to Russia’s Federal Security Service by the Security Service of Ukraine. According to Unit 42’s assessments, Trident Ursa has remained ‘one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine’.
Following ten months of monitoring indicators of the group’s operations, Unit 42 announced that it had identified, among other issues:
- ‘An unsuccessful attempt to compromise a large petroleum refining company within a NATO member nation on 30 August 2022’ (neither the country nor the company concerned was named).
- ‘An individual who appears to be involved with Trident Ursa threatened to harm a Ukraine-based cybersecurity researcher immediately following the initial invasion.’
- ‘Multiple shifts in [the group’s] tactics, techniques and procedures.’
Reporters Without Borders (RSF) raised concerns over two old draft laws resubmitted to the Iraqi parliament, one dealing with cybercrime and the other with freedom of expression and the right to protest peacefully. According to RSF, the two bills were first submitted to the parliament in 2011, and then resubmitted in their original form every time a new parliament took office, ignoring previous debates and amendments.
The cybercrime draft law is seen as containing threats to journalists and freedom of the press. For instance, it imposes penalties ranging from a minimum fine of 10 million Iraqi dinars (more than €6,500) to prison terms of seven to ten years for anyone who uses the internet ‘with the intention to undermine religious, family or social values and principles’. The second draft law is criticised for containing ‘vague and ambiguous language that is open to interpretation and therefore to manipulation by the authorities’.
The Computer Emergency Response Team of Ukraine (CERT-UA) revealed that users of the DELTA situational awareness program were receiving phishing emails and instant messages from a compromised email account at the Ukrainian Ministry of Defense. The emails and messages were intended to infect computers with malware that steals information.
CERT-UA alerted Ukrainian military forces about the malware attack. The team had not linked the identified operation to any known threat actors yet.
DELTA was developed by Ukraine and its partners as an intelligence collection and management system to aid the military in tracking the movements of hostile forces.
A new variant of the Agenda ransomware, a ransomware targeting healthcare and education entities, has been identified. Agenda uses the practice of partial or intermittent encryption and configures parameters that are used to determine the percentage of the file content to be encrypted. The new variant is also able to disable user account control – which otherwise could help mitigate the impact of malware by requiring administrative access to launch a program or a task.
