Welcome to the July 2023 Hacker Tracker, where we’ll provide a breakdown of the most high-profile cyberattacks in the past month. The zero-day attack on MOVEit Transfer tops the list this month. Carried out by a Russia-linked group, it’s affected major organizations across the globe—including the US Department of Energy. Read on to learn just how much damage this attack and others have caused.

MOVEit Transfer hacking spree

When it happened 

June 15

What happened 

Major organizations across the world fell victim to a worldwide hacking spree by Russia-linked extortion group Cl0p. Multiple US federal agencies (including the Department of Energy), Shell, Deutsche Bank, ING, and British Airways were among those targeted. 

Method of attack 

The attackers exploited a flaw in MOVEit Transfer, a file-transfer software tool often used to share sensitive information with partners or customers. The tool’s parent company, Progress Software, discovered this flaw shortly before the hacking spree but wasn’t able to patch it in time (they have now done so). 

The fallout so far

The number of organizations targeted and their importance make this a severe cyberattack. The Cl0p group claimed that they won’t exploit government agency data, but few trust such assurances. Breach reports have already included organizations with sensitive health and financial data on individuals. Those affected will be scrambling to work out just how much of their sensitive data was exposed. 

Polygon NFT Airdrop Fraud

When it happened 

Ongoing

What happened 

A recent phishing scam on the Polygon network, where fake NFT airdrops have been used to trick users, resulted in over $1.2 million in losses by crypto owners. 

Method of attack

This scam operates by airdropping fraudulent NFTs that mimic real ones from well-known projects like Uniswap. Unsuspecting recipients of the fake NFTs are then lured into visiting phishing websites, where they are asked to provide their signatures. Those who do so essentially grant the scammers access to their accounts. 

The fallout so far

The financial losses from this attack—$1.2 million—are significant, and over 300 victims have been affected. Moreover, experts have warned that the number affected is still growing. Attacks like these have become increasingly frequent, emphasizing the need for the crypto community to use more advanced anti-phishing measures. 

Suncor

When it happened

Suncor disclosed the incident on June 25; the attack likely occurred shortly before this. 

What happened 

Suncor Energy was hit by a cyberattack, impacting roughly 1,500 Petro-Canada gas stations. The attack disrupted the company's payment and loyalty reward systems, forcing the stations to operate on a cash-only basis. 

Method of attack

Suncor provided few details in its press release. However, given the extended downtime of payment systems, there’s reason to believe ransomware was used. 

The fallout so far

While Suncor said that most gas stations can now accept card payments again, this cyberattack was damaging. One expert said that it’s likely to cost the company millions of dollars. Reportedly, the attackers may have been linked to the Russian state. If true, this has troubling implications for Canada’s energy security. 

TSMC

When it happened 

June 29

What happened 

The Russia-linked LockBit ransomware gang carried out an attack against the Taiwan Semiconductor Manufacturing Company (TSMC). The group is demanding a ransom of $70 million from TSMC.

Method of attack

LockBit reportedly accessed TSMC's sensitive data by breaching the systems of a third-party IT supplier, Kinmax. They were able to gain access to network entry points and password data for TSMC, which they are threatening to leak if the ransom demands aren’t met. 

The fallout so far

The picture is still unfolding, but this looks like a significant supply-chain attack. TSMC is the world’s largest contract chipmaker, and Kinimax has hinted they may not be their only customer affected by the breach. This means that other tech firms like Microsoft, Citrix, and Cisco could also have been compromised. 

Des Moines

When it happened 

Des Moines confirmed details of the attack on June 19, but it happened on January 9.

What happened

Iowa’s largest school district, Des Moines Public Schools, confirmed that a ransomware attack forced it to take its IT systems offline in January. They also confirmed that they chose not to pay the ransom demanded and that the hackers exposed sensitive data. 

Method of attack

Des Moines hasn’t disclosed how the hackers gained access to their systems. However, ransomware attacks usually involve cybercriminals gaining access to an organization's network, encrypting important data, and demanding a ransom to restore the data. 

The fallout so far

As well as causing significant disruption to students’ education—the district was forced to cancel all classes for several days—the attack exposed the personal data of nearly 6,700 individuals. This attack is yet another example of the ransomware attacks plaguing the American education sector. According to Emsisoft, there were 89 ransomware attacks on the US education sector in 2022. 

Eisai 

When it happened 

June 3

What happened

Eisai, a major Japanese pharmaceutical company, saw its operations disrupted and a number of its servers encrypted due to a cyberattack. The company was forced to take many of its IT systems offline to prevent the ransomware from spreading further.

Method of attack

The cybercriminals used a form of ransomware to encrypt some of Eisai's servers. However, the exact vulnerabilities exploited to get into Eisai's networks aren’t yet known, nor is the identity of the group responsible. 

The fallout so far

The attack caused substantial disruption to Eisai's operations, with several systems—including logistics systems—taken offline. It’s still unclear what data was stolen and what kind of ransom is being demanded. This is not the first time Eisai has been a cyberattack victim, likely increasing the negative reputational consequences. In December 2021, a now-defunct ransomware group called AtomSilo attacked the company and reportedly leaked their data online.

Mondelēz

When it happened

The attack occurred in February, but Mondelēz began notifying affected individuals on June 15.

What happened

The sensitive personal data of over 50,000 current and former employees of Mondelēz International, the makers of Oreos, was exposed by a cyberattack. The attack didn’t hit Mondelēz directly but targeted their law firm, Bryan Cave Leighton Paisner. The compromised data includes employee dates of birth, Social Security numbers, and home addresses. 

Method of attack

The exact method of attack, or whether a ransom was demanded, hasn’t been disclosed by Mondelēz or Bryan Cave Leighton Paisner.

The fallout so far

While Mondelēz confirmed that its own systems were not affected by the incident, the breach of 50,000 individuals’ sensitive personal data is a major blow—especially for the victims now at risk of identity fraud. The breach at BCLP is part of a broader trend of cyberattacks targeting major law firms. As these same law firms are often hired to defend their clients against lawsuits over cyberattacks, the embarrassment for those breached is likely greater. 

United Parcel Service

When it happened 

The data exposure happened between February 2022 and April 2023; UPS disclosed it in June. 

What happened

United Parcel Service (UPS) revealed that they accidentally enabled some customers' shipping information to be openly accessible and that these customers were then targeted by a phishing campaign.

Method of attack

The attackers exploited UPS's package look-up tools to access delivery details, including recipients' personal contact information. This information was then used to target customers with text messages impersonating various companies, including LEGO and Apple. The fraudulent messages demanded payment before the delivery of a package.

The fallout so far

It’s not clear how many customers were successfully targeted by these phishing attacks (although we know they were carried out worldwide). However, the messages were quite convincing, increasing the risk of people falling prey. UPS was also criticized for an initial lack of transparency.

LetMeSpy

When it happened 

The company disclosed the breach on June 21.

What happened 

A hacker managed to gain access to data held by LetMeSpy, an app used to monitor thousands of Android phone users worldwide (usually without their consent). The breach allowed the attacker to access email addresses, phone numbers, location data, call logs, and message content collected on user accounts going back as far as 2013. 

Method of attack

It isn’t clear exactly how the hacker breached the app. However, after gaining access, they reportedly seized control over LetMeSpy's domain and later published a copy of the hacked database online. They may also have deleted databases stored on LetMeSpy’s server.

The fallout so far

This a violation of the privacy of thousands of victims, many of whom may already have been victims of domestic violence, stalking, or other forms of coercion that the use of spyware is commonly associated with. It appears that the LetMeSpy app is no longer functioning. The identity of LetMeSpy's developer, Rafal Lidwin, was also exposed. He previously remained anonymous, likely due to the potential legal risks associated with covert phone surveillance.

US Patent and Trademark Office

When it happened 

From February 2020 to March 2023; it was disclosed on June 29. 

What happened 

The US Patent and Trademark Office (USPTO) admitted to accidentally leaking the private addresses of around 61,000 individuals who filed applications with them. These addresses were exposed in public records and in datasets published online to assist researchers.

Method of attack

This was not an attack as such, but a prolonged data spill from the agency itself. However, we know that it was caused by an issue with one of its APIs. 

The fallout so far

The API error that caused the data leak has been resolved, and the agency stated there's no reason to believe data has been misused. However, it can’t be stated with certainty that those whose data was leaked haven’t been targeted in some way. 

Other News 

ChatGPT accounts for sale

Group-IB researchers found that credentials for over 100,000 hacked ChatGPT accounts were being sold on dark web marketplaces until May 2023.

Minecraft malware menace

Cybercriminals have embedded "Fracturizer" malware in Minecraft packages and plugins, which can steal personal data and players’ cryptocurrency. 

Big rewards for Chrome exploits

Google is offering up to $300,000 to researchers who can find full-chain exploits in their Chrome browser. 

Most wanted: Cl0p gang

The US State Department is offering a large reward of up to $10 million dollars for information locating or identifying members of the notorious Cl0p ransomware gang behind the recent MOVEit Transfer hack (reported above).

Criminals caught

• The US DoJ charged two Russians, Alexey Bilyuchenko and Aleksandr Verner, with laundering 647,000 Bitcoins stolen from the now-defunct Mt. Gox crypto exchange in 2011.
• UK hacker Joseph James O’Connor, known for the 2020 Twitter hack, was sentenced to five years in US prison for cyberstalking and SIM-swapping-related cryptocurrency theft.
• Europol's investigation into EncroChat allowed them to intercept over 115 million criminal conversations. This led to 6,558 arrests, the seizure of 900 million Euros, and the prevention of various major crimes.
• Nikita Kislitsin, former head of network security for a top Russian cybersecurity firm, was arrested in Kazakhstan due to longstanding US hacking charges.

Vulnerabilities fixed

• Jetpack - a critical vulnerability in the Jetpack plugin for WordPress has been patched, having gone unnoticed for over 10 years.
• Big tech patches - Apple, Microsoft, Google, and other major tech companies have fixed vulnerabilities recently.

Government news

• Under a new CISA directive, federal agencies have 14 days to respond to reports about misconfigured or Internet-exposed networking devices, including firewalls, routers, and load balancers.
• The NSA released a guide to defending against BlackLotus bootkit malware attacks. This is to ensure system administrators are better prepared against what is still a serious threat.