The website of Israel's largest oil refineries, managed by BAZAN Group, was rendered inaccessible following an assault by an Iranian hacktivist group named Cyber Avengers. The site was unavailable for several days, with access requests either rejected or timing out.
Although operational technology appeared to be unaffected, Cyber Avengers, who claimed responsibility, disturbingly leaked screenshots of BAZAN's SCADA systems, which control industrial equipment. This included code and diagrams for programmable logic controllers (PLCs).
In response to the leaked materials, a spokesperson for BAZAN Group quickly dismissed them as "entirely fabricated." The company stated that it was actively looking into the incident and chose not to provide any additional details at this time
Identified as a pro-Iranian group, Cyber Avengers announced that they exploited a firewall vulnerability to breach BAZAN's network. A menacing message on Telegram followed, stating, "Since 2020 we've blown you up a lot, but the worst is yet to come,” suggesting that the group has more attacks planned against Israeli targets.
The US government is confronting two serious cyber security incidents.
Chinese spies are suspected of planting malware in vital American IT systems, potentially affecting water supplies, power grids, and military communications. The malware, possibly linked to the Beijing-backed group Volt Typhoon, is described as a "ticking time bomb" that could disrupt US systems, a development that follows earlier reports of the group targeting military infrastructure.
Secondly, a US Air Force engineer is accused of stealing $90,000 worth of equipment and compromising communication security across 17 military facilities and potentially the FBI. A federal raid seized USB drives containing sensitive information and administrative passwords.
Both incidents highlight growing concerns over vulnerabilities in the nation's cyber security infrastructure and the ongoing threats posed by both state-sponsored and internal actors.
The incident involving the Air Force engineer underlines the insider threat that all organisations, not just military or government entities face. Individuals with privileged access to sensitive systems can exploit their position to steal information or sabotage operations. Read more about insider threats HERE
A nation-state actor with connections to China is suspected of orchestrating a series of cyberattacks against industrial organisations in Eastern Europe last year. The purpose was to extract data from air-gapped systems, which are isolated from unsecured networks.
Cyber security researchers attributed the intrusions with medium to high confidence to a hacking group known as APT31. Other names for this group include Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium). This attribution is based on similarities in the observed tactics.
The attacks involved the use of over 15 unique implants and their variations, categorised into three groups according to their function: establishing persistent remote access, collecting sensitive information, and transmitting the data to infrastructure controlled by the hackers.
The researchers described one implant type as a sophisticated modular malware designed to profile removable drives and infect them with a worm, aimed at exfiltrating data from the isolated networks of industrial organisations in Eastern Europe. Another implant was intended for stealing data from local computers and sending it to Dropbox using subsequent-stage implants.
Earlier this month, security experts detected likely attacks by the same adversary against South Korean companies, intending to infect machines with a backdoor called Rekoobe.
These incidents highlight the ongoing and evolving threat posed by sophisticated nation-state actors, with the potential to compromise both isolated and connected systems, threatening industrial and economic security on a global scale.
The Italian National Authority for Cybersecurity (ACN) has reported a series of distributed denial of service (DDoS) attacks targeting at least five major Italian banks.
The attacks were attributed to the pro-Russian hacker group NoName057(16), and according to the group's encrypted Telegram channel, began around 5 am ET on Tuesday. Though the disruption was short-lived and did not affect mobile app functionality, the ACN swiftly intervened to mitigate the impact.
The affected banks included Intesa Sanpaolo, Monte dei Paschi di Siena, BPER Banca, FinecoBank, and Banca Popolare di Sondrio. The DDoS assaults temporarily disabled the banks' websites, restricting customer access. Two other banks, Che Banca and Fideuram, were also mentioned by the hackers.
ACN stated that it believes the attacks by pro-Russian hackers are linked to Italy's stance on the Ukraine conflict, with other recent targets including critical infrastructure in several NATO member countries and European ports. NoName's activities have escalated since the Russian invasion of Ukraine, even offering cryptocurrency to recruit volunteer hackers.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.