MoveIt Hack Impacts British Airways, BBC, Aer Lingus and more as Russia-linked Clop group takes responsibility
North Korea Makes 50% of Income from Cyber-Attacks says new report
Capita Hack – Lawyers circling as the fallout continues
Hackers steal Swiss police and customs data
Caribbean Island of Martinique struggling with the aftermath of crippling cyber attack
A suspected Russia-linked cyber attack compromised thousands of British Airways, BBC, Aer Lingus and other organisations employees' data, including bank account details and national insurance numbers. Some of the UK's leading businesses are currently trying to determine the extent of the employee data breach, believed to have impacted hundreds of thousands of workers worldwide.
The National Cyber Security Centre is working to ascertain the UK impact of this major incident. Notable victims of the hack include British Airways, the BBC, Boots, and Aer Lingus, all of which were targeted via Zellis, a payroll processing firm.
The Clop ransomware gang claimed responsibility after posting a notice on the dark web warning those affected by the MOVEit hack to email them before 14 June or stolen data will be published.
On Monday, British Airways, the BBC, Aer Lingus and multiple other businesses alerted their workforces about a "cyber security incident" leading to the disclosure of personal information of employees paid through their UK and Ireland payrolls. This compromised data includes names, addresses, national insurance numbers, and banking details.
The hackers exploited a backdoor in a software called MOVEit used by Zellis for file transfer. Progress Software, the creator of MOVEit, discovered this vulnerability and alerted its customers about the urgency to take action by removing any unauthorised user accounts added by the hackers. This incident demonstrates the risks for organisations dependent on third-party data processing services. A patch for the vulnerability is available and organisations using the software are strongly advised to implement it as soon as possible.
A US diplomat claims that North Korea garners nearly half its foreign-currency income from cyber-attacks, with particular focus on cryptocurrencies. A senior official from the Biden administration reported a significant surge in these cyber-attacks since 2018, mirroring the regime's growing nuclear and missile programmes.
"Cryptocurrency heists and cyber-attacks are a significant funding source for Pyongyang. We estimate that around 50% of their foreign-currency earnings are derived from cyber theft," the official shared. Efforts are underway in collaboration with South Korea and other global allies to counteract these activities and increase awareness among companies.
It's believed that the Kim Jong-un regime engages roughly 10,000 operatives to execute a widespread financially-driven cyber-attack campaign. Additionally, thousands of IT personnel are reportedly sent abroad with falsified documents to work in developed economies.
North Korean hackers have been implicated in some of the largest cryptocurrency heists, including the $620 million stolen from Sky Mavis' Ronin Network last year and the $281 million from KuCoin in 2020. Their methods have become increasingly sophisticated, as evidenced by the 3CX supply chain attacks that targeted cryptocurrency exchanges. The UN reported in 2019 that North Korea had amassed up to $2 billion through historical attacks on crypto firms and traditional banks.
The fallout from the Capita breach continues after it was revealed that the outsourcing firm, could potentially face legal action following a cyberattack earlier this year that led to client data theft, allegedly perpetrated by Russian hackers. Renowned law firms such as Leigh Day are contemplating lawsuits after receiving contacts from individuals who believe they were impacted by the breach.
Capita previously disclosed the anticipated financial fallout from the attack to be up to £20m. Despite confirming that less than 0.1% of its servers were affected, the company did not provide further details on the exact number of servers or the amount of data compromised.
The Times newspaper reported that Leigh Day approached the Universities Superannuation Scheme, known to have been targeted in the attack, seeking more clarity about the breach for their clients. Leigh Day partner Sean Humber expressed scepticism about the relevance of the '0.1%' figure.
Barings Law, another law firm, is also actively seeking affected USS members through social media appeals.
Hackers have disclosed data from the Federal Office of Police (Fedpol) and the Federal Office for Customs and Border Security (FOCBS) on the Darknet, following the exploitation of a flaw in the servers of the hosting company.
Both cantonal police and the army have also been indirectly impacted by the cyberattack. In recent years, Switzerland has experienced a surge in such attacks, with local authorities, GP practices, a guardianship service, media firms, and industry behemoths like ABB and Swissport all falling victim.
Martinique, a Caribbean island under French administration and part of the European Union, has been grappling with a prolonged cyberattack disrupting internet access and impacting other infrastructures. The attack, initiated on May 16, has significantly disrupted community activities, affecting users and partners. Authorities have taken steps to isolate affected systems and bring in cybersecurity experts for gradual recovery.
Despite the challenges, government and school administrators are coordinating efforts to maintain educational and social services. In the absence of online platforms, physical paperwork has been reinstated for financial services and social benefit requests. The government's website remains down, with some offices temporarily closed.
France’s National Agency for Information Systems Security (ANSSI) has issued cyber hygiene advice and recommended enhanced use of security tools like firewalls and antivirus software.
The Rhysida ransomware group has claimed responsibility for the attack, leaking what appears to be government data. Emerging in May 2023, the group's operations remain largely obscure. This incident follows a similar attack in Guadeloupe, another French Caribbean territory, underscoring the rising cybersecurity challenges in the region.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.