The third quarter of 2022 included the four universal drivers of cyberattacks: war, religion, politics and money.
For the third consecutive quarter, pro-Russian hacktivists have targeted Western governments and organizations. Killnet, arguably the most vocal pro-Russian hacktivist group, has solicited donations to develop its attack infrastructure. Additionally, he provided support services to Solaris, a Russian-speaking underground forum. Solaris became one of the largest underground markets after Hydra shut down at the end of March 2022. Since then, Solaris and Rutor have been vying for the top spot in the Russian-speaking deep web ecosystem. Rutor, however, became the target of Killnet DoS (denial of service) attacks, which brought Solaris to the forefront. This raises the question Did Solaris hire Killnet to gain a competitive edge in the underground?
The three main groups responsible for chaos in Finland, Estonia, the Republic of Moldova, Japan and, more recently, the United States are Killnet, NoName057(16) and Anonymous Russia. Although all have common goals and their attacks are shared within their Telegram channels, all are believed to remain independent. There is no supporting evidence that anyone acted on behalf of the Russian government.
Inspired by the pro-Ukrainian disBalancer and IT Army of Ukraine’s automated botnet, NoName057(16) introduced a new crowdsourced botnet called Ddosia. Its goal is to centrally synchronize and orchestrate DoS attacks and increase efficiency through coordinated attacks across its member base. NoName057(16) has raised the stakes by adding an incentive program that promises up to $1,250 in cryptocurrency for top contributors.
Earlier in the third quarter, South Korea announced plans to create a new 100,000-strong cyber warfare reserve force. The Ukrainian Volunteer Computer Army inspired the plans. In late August, the US Army’s cybersecurity chief posted a tweet urging citizens to become nation-state hackers and develop offensive and defensive cyber operation skills which he describes as “Defend. Offensive. To exploit.‘
Prior to US House Speaker Nancy Pelosi’s visit, Taiwan government websites and the Taoyuan Airport website experienced outages. Taiwan responded by announcing new initiatives leveraging Web3 technologies to increase the resilience of its government services. Later in the quarter, Taiwan discussed the possibility of leveraging red team exercises to increase its overall resistance and resilience against foreign cyberattacks.
DragonForce Malaysia continues to expand its tactics, adding new exploitation techniques to its arsenal of attack tools. He has expressed an intention to engage in crypto-lockdown and ransomware. A new Bangladesh-based hacktivist group called Mysterious Team has claimed to be behind DoS attacks that used OpIndia, OpPatuk, and OpIsrael beacons. This matches the DragonForce Malaysia operations that took place earlier in the year.
Altahrea Team, an Iraq-based pro-Iranian hacker group known for targeting several services and websites in Israel this year, has teamed up with Kurdish hacker group 1877 Team to support the car bombing that killed Darya Dugina. Dugina was the daughter of Aleksandr Dugin, a close ally of Russian President Vladimir Putin.
In September, Anonymous launched OpIran to target Iranian government and supreme leader websites, joining protests after the death of 22-year-old Iranian Mahsa Amini. She died shortly after her arrest by Iranian vice police for allegedly wearing her hijab too loosely. In response to Iranian authorities who have attempted to control information, prevent organized protests, censor and block access to social networks and messaging platforms, the Tor Project has released new user guides for circumvent censorship in Iran. Signal called on people outside Iran to install proxies and allow Iranian citizens to circumvent censorship.
Although disclosed and patched in late 2021, the Log4 vulnerability is still widely exploited. In addition to opportunistic automated exploitation activity seeking crypto-mining and denial-of-service resources, ransomware gangs have exploited vulnerabilities to target and extort organizations across multiple industries and countries. Iranian state-sponsored MuddyWater used Log4j to target Israeli entities. The state-sponsored North Korean hacking group Lazarus was also discovered to be targeting North American utility companies.
In September, Ukraine’s Defense Ministry intelligence group warned of Russian plans to launch massive cyberattacks targeting critical infrastructure. The warning said the Kremlin planned to carry out cyberattacks against Ukraine’s businesses and allies and would primarily target the energy sector. The group specifically mentioned Poland and the Baltic states as countries that can expect an increase in DoS attacks against critical infrastructure.
In August – and just 75 days before the US midterm elections – leaders of the Election Security Group (ESG) pledged to be fully engaged and on high alert to defend the US electoral system against potential interference from Russia, China and Iran. US Cyber Command and the National Security Agency (NSA) established the ESG Task Force in 2018 to combat Russian interference in the election.
According to a US Cybersecurity Advisory (CSA), in September, Vice Society, a threat group known to deploy third-party ransomware, disproportionately targeted educational institutions. From a cybersecurity perspective, the first half of 2022 was particularly challenging for the education sector.
In August, the Information Security Office and the Healthcare Industry Cybersecurity Coordination Center warned that Russia-based Evil Corp, a highly skilled cybercrime syndicate that emerged in 2009, was a significant threat to the US healthcare industry. The warning considered the possibility that the Russian government had commissioned Evil Force to acquire intellectual property from the US healthcare industry.
In late September, Optus, Australia’s second-largest telecommunications service provider, disclosed a breach after noticing suspicious activity on the network. In what some might consider Australia’s most serious data breach to date, Optus said the personal data of current and former customers had been stolen. This included, among other personal information, passport and driver’s license numbers. According to Optus, payment details and account passwords were not compromised. The passport and driver’s license numbers of around 2.8 million people have been stolen, putting them, according to the Australian government, at “fairly significant” risk of identity theft and fraud.
Check out our quarterly updated DDoS and Application Threat Analysis Hub for a comprehensive and quantitative analysis of network and application attack activity for Q3 2022.