The third quarter of 2022 included all four universal cyberattack drivers: war, religion, politics and money.
For the third quarter in a row, pro-Russian hacktivists targeted western governments and organizations. Killnet, arguably the most vocal pro-Russian hacktivist group, solicited donations to grow their attack infrastructure. In addition, it provided support services to Solaris, a Russian-speaking underground forum. Solaris emerged as one of the largest underground markets after Hydra was shut down at the end of March 2022. Since then, Solaris and Rutor have competed for the top position in the Russian-speaking deep web ecosystem. Rutor, however, became the target of Killnet DoS (denial-of-service) attacks, which enabled Solaris to rise to the top spot. This raises the question Did Solaris hire Killnet to gain a competitive advantage in the underground?
The three most prominent groups responsible for creating chaos in Finland, Estonia, the Republic of Moldova, Japan and, more recently in the United States, are Killnet, NoName057(16) and Anonymous Russia. While all have common objectives and their attacks shared within their Telegram channels, it’s believed all remain independent. There’s no evidence to support that any acted on behalf of the Russian government.
Inspired by the pro-Ukrainian disBalancer and IT Army of Ukraine’s automated botnet, NoName057(16) introduced a new crowd-sourced botnet called Ddosia. Its goal is to synchronize and centrally orchestrate DoS attacks and increase effectiveness through coordinated assaults across its member base. NoName057(16) raised the stakes by adding an incentive program that promises up to 1,250USD worth of cryptocurrency for the top contributors.
Earlier in the third quarter, South Korea announced plans to establish a new 100,000-member strong cyber warfare reserve force. The volunteer IT Army of Ukraine inspired the plans. By the end of August, the US Army Chief of Cyber posted a tweet inviting citizens to become nation-state hackers and develop offensive and defensive cyber operation skills he describes as ‘Defend. Attack. Exploit.‘
Prior to United States House Speaker Nancy Pelosi’s visit, Taiwanese government websites and the Taoyuan airport website experienced outages. Taiwan responded by announcing new initiatives leveraging Web3 technologies to increase the resilience of its government services. Later in the quarter, Taiwan discussed the potential of leveraging red teaming exercises to increase its overall resistance and resilience against foreign cyberattacks.
DragonForce Malaysia continues to expand its tactics, adding new exploit techniques to its arsenal of attack tools. It expressed the intent to engage in crypto locking and ransomware. A new Bangladesh-based hacktivist group called Mysterious Team claimed to be behind DoS attacks that used the tags OpIndia, OpPatuk and OpIsrael. This aligns with operations by DragonForce Malaysia that occurred earlier in the year.
Altahrea Team, an Iraq-based group of pro-Iranian hackers known for targeting several services and websites in Israel this year, teamed up with Kurdish hacker group 1877 Team in support of the car bombing that killed Darya Dugina. Dugina was the daughter of Aleksandr Dugin, a close ally of Russian President Vladimir Putin.
In September, Anonymous launched OpIran to target the Iranian government and supreme leader websites, joining protests following the death of 22-year-old Iranian Mahsa Amini. She died shortly after her arrest by the Iran morality police for allegedly wearing her hijab too loosely. In response to the Iranian authorities who attempted to control the news, prevent organized protests, and censor and block access to social media and messaging platforms, the Tor Project published new user guides to circumvent censorship in Iran. Signal called people outside Iran to install proxies and allow Iranian citizens to circumvent the censoring.
While it was disclosed and fixed at the end of 2021, the Log4 vulnerability is still being widely exploited. In addition to the opportunistic automated exploit activity in search of crypto-mining and denial-of-service resources, ransomware gangs leveraged the vulnerabilities to target and extort organizations in multiple industries and countries. Iranian state-sponsored MuddyWater leveraged Log4j to target Israeli entities. It was also discovered that state-sponsored North Korean hacking group Lazarus targeted North American utility companies.
In September, the Ministry of Defense of Ukraine’s intelligence group warned of Russia’s plans to launch mass cyberattacks targeting critical infrastructure(s). The warning stated that the Kremlin plans to carry out cyberattacks against Ukraine’s enterprises and allies and will primarily target the energy sector. The group specifically mentioned Poland and the Baltic States as countries that can expect increased DoS attacks to critical infrastructures.
In August — and just 75 days from the U.S. mid-term elections — Election Security Group (ESG) leaders pledged to be fully engaged and on high alert to defend the U.S. electoral system from potential interference by Russia, China and Iran. The U.S. Cyber Command and the National Security Agency (NSA) established the ESG task force in 2018 to combat Russian meddling in elections.
According to a U.S. Cybersecurity Advisory (CSA), in September Vice Society, a threat group known for deploying third-party ransomware, disproportionately targeted educational institutions. From a cybersecurity perspective, the first half of 2022 was particularly hard on the education sector.
In August, the Office of Information Security and the Health Sector Cybersecurity Coordination Center warned that Russia-based Evil Corp, a highly capable cybercrime syndicate that emerged in 2009, is a significant threat to the U.S. healthcare sector. The warning considered the possibility that the Russian government has tasked Evil Force to acquire intellectual property from the U.S. healthcare sector.
At the end of September, Optus, Australia’s second-largest telecom service provider, disclosed a breach after noticing suspicious network activity. In what some may consider Australia’s most serious data breach to date, Optus stated that the personal data of current and former customers was stolen. This included, among other personal information, passport and driver’s license numbers. According to Optus, payment details and account passwords were not compromised. The passport and driver’s license numbers of approximately 2.8 million people were stolen, putting them, according to the Australian government, at “quite significant” risk for identity theft and fraud.
Check our quarterly updated DDoS and Application Threat Analysis Hub for a comprehensive and quantitative analysis of network and application attack activity for Q3 2022.