This was Q3 2022

The four universal drivers for cyberattacks attacks were all accounted for in the third quarter of 2022: war, religion, politics and money.

For the third quarter in a row, pro-Russian hacktivists targeted western governments and organizations. Killnet, arguably the most vocal pro-Russian hacktivist group, has been soliciting donations to grow their attack infrastructure and providing support services to for Solaris, a Russian-speaking underground forum. Solaris has emerged as one of the largest underground markets after Hydra was shut down at the end of March 2022. Since then, Solaris and Rutor have been competing for the top position in the Russian speaking deep web ecosystem. Rutor, however, became the target of denial-of-service attacks performed by Killnet, allowing Solaris to rise to the top. This raises the question if Solaris hired and paid Killnet to gain a competitive advantage in the underground.

The three most prominent groups responsible for creating chaos in Finland, Estonia, the Republic of Moldova, Japan and, more recently in the United States, are Killnet, NoName057(16) and Anonymous Russia. While all have common objectives and their attacks were shared amongst their Telegram channels, it’s believed all remain independent. There’s no evidence to support that any were acting on behalf of the Russian government.

Inspired by the pro-Ukrainian disBalancer and IT Army of Ukraine's automated botnet, NoName057(16) introduced a new crowd-sourced botnet called Ddosia. Its goal is to synchronize and centrally orchestrate denial-of-service attacks and increase their effectiveness through coordinated assaults across their member base. NoName057(16) raised the stakes by adding an incentive program that promises up to 1,250USD worth of cryptocurrency for the top contributors.

Earlier in the quarter, South Korea announced plans to establish a new cyber warfare reserve force comprised of 100,000 professionals. The plans are inspired by the volunteer-based IT Army of Ukraine. By the end of August, the US Army Chief of Cyber posted a Tweet inviting citizens to become a nation-state hacker and develop offensive and defensive cyber operation skills: 'Defend. Attack. Exploit.'?

Ahead United States House Speaker Nancy Pelosi’s visit, Taiwanese government websites and the Taoyuan airport website experienced outages. Taiwan responded by announcing new initiatives leveraging Web3 technologies to increase the resilience of its government services. Later in the quarter, Taiwan discussed the potential of leveraging red teaming exercises to increase its overall resistance and resilience against foreign cyberattacks.

DragonForce Malaysia continues to expand its tactics, adding new exploit techniques to its arsenal of attack tools. They expressed their intent to engage in crypto locking and ransomware. A new Bangladesh-based hacktivist group calling themselves Mysterious Team claimed to be behind DoS attacks that used the tags OpIndia, OpPatuk and OpIsrael, aligning with operations by DragonForce Malaysia earlier in the year.

Altahrea Team, an Iraq-based group of pro-Iranian hackers, known for targeting several services and websites in Israel this year, teamed up with Kurdish hacker group 1877 Team in support of the car bombing that killed Darya Dugina. Dugina was the daughter of Aleksandr Dugin, a close ally of President Vladimir Putin.

In September, Anonymous launched OpIran to target the Iranian government and supreme leader websites, joining the protests in the streets of Iran following the death of Mahsa Amini. Amini died shortly after her arrest by the Iran morality police for, they alleged, wearing her hijab too loosely. In response to the Iranian authorities who attempted to control the news, prevent organized protests, and censor and block access to social media and messaging platforms, the Tor Project published new user guides to circumvent censorship in Iran. Signal called people outside of Iran to install proxies and allow Iranian citizens to circumvent the censoring.

The Log4j vulnerability, which was disclosed and fixed at the end of 2021, is still widely exploited. In addition to the opportunistic automated exploit activity in search of crypto-mining and denial-of-service resources, ransomware gangs leveraged the vulnerabilities to target and extort organizations in multiple industries and countries. ?Iranian state-sponsored MuddyWater leveraged Log4j to target Israeli entities and it was discovered that state-sponsored North Korean hacking group Lazarus targeted North American utility companies.

In September, the Ministry of Defense of Ukraine’s intelligence group warned of Russia’s plans to launch mass cyberattacks targeting critical infrastructure. The warning stated that the Kremlin is planning to carry out cyberattacks against Ukraine enterprises and its allies and will primarily target the energy sector. The group specifically mentioned Poland and the Baltic States as countries that could expect increased denial-of-service attacks to critical infrastructures.

In August and just 75 days from the U.S. mid-term elections, Election Security Group (ESG) leaders pledged that they will be fully engaged and on high alert to defend the U.S. electoral system from potential interference by Russia, China and Iran. In 2018, the ESG task force was established by U.S. Cyber Command and the National Security Agency (NSA) to combat Russian meddling in elections.

According to a U.S. Cybersecurity Advisory (CSA), in September Vice Society, a threat group known for deploying third-party ransomware, disproportionately targeted educational institutions. From a cybersecurity perspective, the first half of 2022 was particularly hard on the education sector.

In August, the Office of Information Security and the Health Sector Cybersecurity Coordination center warned that Russia-based Evil Corp, a highly capable cybercrime syndicate that emerged in 2009, should be considered a significant threat to the U.S. healthcare sector. The warning also considered the possibility that Evil Corp may be tasked by the Russian government to acquire intellectual property from the U.S. healthcare sector.

At the end of September, Optus, Australia’s second-largest telecom service provider, disclosed a breach after noticing suspicious network activity. In what some may consider Australia’s most serious data breach to date, Optus stated that personal data of current and former customers was stolen, including passport and driver’s license numbers. According to Optus, payment details and account passwords were not compromised. The passport and driver’s license numbers of approximately 2.8 million people were stolen, putting them, according to the Australian government, at “quite significant” risk for identity theft and fraud.

Check our quarterly updated DDoS and Application Threat Analysis Hub for a comprehensive and quantitative analysis of network and application attack activity for Q3 2022.