Monthly IntSum - January 2024

Our monthly IntSum report is a compilation of the most important and relevant news stories.

Our team of cybersecurity experts are constantly monitoring the latest threats and vulnerabilities from around the world to provide you with the most up-to-date information.

1st January - 5th January: Threat actors target the UK’s Nuclear Waste Services through LinkedIn

This week we reported that malicious actors targeted the UK’s Nuclear Waste Service (NWS) through a LinkedIn social engineering campaign to gather information and compromise the company.

Cybercriminals unsuccessfully attempted to compromise Radioactive Waste Management (RWM), a part of the NWS - the UK’s state-owned company overseeing the USD 50 billion Geological Disposal Facility (GDF) project. The project aims to construct an underground nuclear waste repository in the UK.

The operation was facilitated through LinkedIn using fake accounts that crafted deceptive messages and disseminated malicious links. Its purpose was to gather information about the company and leverage the data to enable initial access to its network.

8th January- 12th January: Recent X account hijacking cryptocurrency scam campaign linked to a Drainer-as-a-Service group

The recent X (formerly Twitter) account hijacking campaign promoting cryptocurrency scams has been linked to a Drainer-as-a-Service (DaaS) group, believed to have stolen over USD 900,000 in Solana cryptocurrency.

The recent wave of X account hijacking incidents includes the cybersecurity firm Mandiant, Web3 company CertiK, automotive firm Hyundai Middle East & Africa, networking hardware company Netgear, and US Federal Securities and Exchange Commission (SEC) as the latest victims of this campaign. The compromised accounts were used to promote cryptocurrency scams, as well as by announce the fake approval of Bitcoin exchange-traded funds (ETFs) through the SEC’s X account.

Mandiant’s investigation has found the a link between the X account hijacking incidents to a Drainer-as-a-Service (DaaS) group, which is assessed to have stolen at least USD 900,000 in Solana cryptocurrency to date during this campaign. Evidence indicates that threat actors used a brute force password attack to gain access to Mandiant’s accounts and spear-phishing in at least one other incident impacting CertiK.

The DaaS group used the hijacked X accounts to distribute cryptocurrency-themed phishing pages encouraging users to claim a token airdrop, which is a marketing strategy used by cryptocurrency start-ups to distribute free tokens. Clicking on this button loads a malicious JavaScript wallet drainer code named CLINKSINK that prompts the user to connect their cryptocurrency wallet and proceeds to steal Solana cryptocurrency.

15th January - 19th January: Cyber effects of geopolitical escalation in the Middle East

This week we reported on the escalating cyber threats in the wake of regional conflicts, taking place in Yemen and Gaza. Nation-state and hacktivist groups have expanded their use of cyber operations as retaliation.

Early on 12 January 2024, the UK and US conducted air strikes on Houthi bases in Yemen following Houthi rebel attacks on commercial shipping vessels in the Red Sea, allegedly sponsored by Iran and carried out in retaliation to Israeli activity in Gaza. While Western states justify the strikes as self defence, key Middle Eastern players, including Iran, Lebanon-based Hezbollah, and Palestine-based Hamas, have condemned them.

At the same time, the hacktivist group named Anonymous Sudan, with suspected Russian-state links, targeted entities in the UK and Bahrain with Distributed Denial-of-Service attacks in response to the air strikes. Targets included the London Internet Exchange, attempting to disrupt internet connectivity, and Bahraini media outlets. Pro-Palestinian groups are expected to join these efforts, reflecting the increasing cyber threat resulting from the recent geopolitical escalation.

Anonymous Sudan has also targeted telecommunications entities in Chad and Israel, causing network disruptions in the wake of the Israel-Palestine conflict. The hacktivist group stated that the operation impacted critical routers, network administration, and other network devices of one of Chad’s telecommunications organisations, as well as disrupting three different Israeli providers. Hezbollah's cyber campaigns against Israeli entities have also aggressively increased, with Israel facing an overall 50% increase in targeting of government and defence sectors from Palestine-aligned threat actors, both hacktivist and nation-state.

It is also a realistic possibility that Iran-linked threat actors could seek to target the US, the UK, and their allies, considering known links between Iran’s government and the Houthi rebels.

22nd January - 26th January: Ransomware compromise of IT services provider Tietoevry has a significant impact on the downstream supply chain in Sweden

This week we reported that the Akira ransomware gang compromised a Finnish IT and cloud hosting service provider, targeting a single data centre in Sweden which has caused significant downstream disruption for a range of Tietoevry customers.

The incident resulted in service outages and disruption to financial systems of 120 agencies, 23 regions, and 35 companies across all sectors that have contacted the privacy protection authority IMY, regarding compromise of their data. Speculation surrounding potential additional unknown victims has yet to be corroborated. Some online shops and physical stores have been closed as a result of complete Point-of-Sale failure. The health record system in Uppsala County has also reportedly been inaccessible, though this has not impacted patient care.

Akira, a Russian-speaking ransomware group, began its operations in March 2023 and has since carried out various double extortion compromises, prompting the Finnish National Cybersecurity Center (NCSC-FI) to release a warning about the group’s activity targeting the country. The group has previously exploited vulnerabilities in VPN and other security products to gain initial access, as well as wiped data backups. It is possible that Akira exploited a similar vulnerability to gain access to Tietoevry’s network and wiped backups of impacted organisations, which could have contributed to prolonged downtime.

We are committed to keeping you informed and helping you stay ahead of the ever-evolving cybersecurity landscape.

By subscribing to our newsletter, you can ensure that you stay ahead of the ever-evolving cybersecurity landscape.

You'll receive monthly updates on the latest trends and threats, in-depth analysis and expert commentary. With this information at your fingertips, you can better protect yourself and your organisation from potential cyber-attacks. Subscribe here.

To see the Orpheus platform in action, click here.