TIMELINE OF 2022'S KEY CYBER EVENTS

January
  • Ukraine has been hit by a large scale cyber-attack that took down several of its government and ministries websites. Threat actors defaced the Foreign Affairs website with threatening message reading “Ukrainians!… All information about you has become public, be afraid and expect worse.” Researchers additionally found evidence of a significant ongoing operation targeting multiple organizations in Ukraine, leveraging a malware disguised as ransomware that could render a system inoperable.
  • Television channels and a radio station run by Iran’s state broadcaster were hacked in a complex attack by an exiled opposition group. Hacktivist group Edalat-e Ali (Ali's Justice) hacked the television website and broadcasted a video with a strong opposition message. The video started with footage of people in Tehran’s Azadi stadium shouting “death to dictator” referring to Supreme Leader Ali Kamenei, then it cut into a close up of a masked man similar to the protagonist of the movie V for Vendetta, who said “Khamenei is scared, the regime’s foundation is rattling”. Check Point Research provided in-depth technical analysis of one of the attacks. CPR was able to discover part of the tools that were utilized in this operation, including the evidence of the usage of a destructive wiper malware.

TIMELINE OF 2022'S KEY CYBER EVENTS

February
  • A significant Ransomware attack has disrupted operations of oil port terminals in Belgium, Germany and in the Netherlands, affecting at least 17 ports and resulting in difficulties loading and unloading refined product cargoes. The BlackCat cybercrime group is suspected to be the group behind the attack.
  • Ukraine has been at the center of a series of targeted DDoS attacks on its armed forces, defense ministry, public radio and national banks websites. The US Government has officially attributed the attacks to Russia’s Main Directorate of the General Staff of the Armed Forces.
  • Check Point Research has released data on cyberattacks observed around the Russia/Ukraine conflict. Cyberattacks on Ukraine’s government and Russia-Ukraine Conflict sector surged by 196% in the first three days of combat. Cyberattacks on Russian organizations increased by 4%. Phishing emails in the East Slavic languages increased 7-fold.
  • Following an announcement by OpenSea about a contract migration they are planning, Check Point Research observed that hackers took advantage of the upgrade process and scammed NFT users, leading to theft of millions of dollars.
    Russia-Ukraine Conflict

    State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage CPR has observed advanced persistent threat (APT) groups around the world launching new campaigns, or quickly adapting ongoing ones to target victims with spear-phishing emails using the war as a lure

    READ MORE

TIMELINE OF 2022'S KEY CYBER EVENTS

March
  • Ukraine “IT army” consisting of cyber-operatives and volunteers worldwide has claimed attacks taking down multiple Russian and Belarusian key websites, including the Kremlin’s official site.
  • As part of the NVIDIA leak by the Lapsus$ ransomware gang were 2 stolen code signing certificates used by to sign their drivers and executables. Attackers have already started using these certificates to sign malware, hoping to evade security solutions. Ransomware gang Lapsus$, which took responsibility for the breach on the giant chip firm NVIDIA, claims it also managed to breach the Korean manufacturer Samsung, and published 190GB of sensitive data online.
  • One of Russia’s largest meat producers Miratorg Agribusiness Holding has suffered a major cyberattack. Threat actors used Windows BitLocker to encrypt the victim’s IT systems in full volumes and demanded a ransom. The attack resulted in distribution disruptions for several days.

TIMELINE OF 2022'S KEY CYBER EVENTS

April
  • Check Point Research (CPR) revealed a large spike in attacks committed by advanced persistent threat groups (APTs) around the world, using lures utilizing the war between Russia and Ukraine. Most of the attacks started with spear-phishing emails that contained documents with malicious macros dropping malware such as Loki.Rat backdoor.
  • The new Spring4shell vulnerability (CVE-2022-22965) has been actively exploited by threat actors since the beginning of April, leveraging the Mirai botnet. The Singapore region has been one of the most impacted geographic areas. Check Point Research shows that 16% of the organizations worldwide were impacted with Spring4Shell during the first 4 days after the vulnerability outbreak. VMware has released security updates to address this critical remote code execution flaw within its products.
  • Check Point Research identified “ALHACK”, a set of vulnerabilities in the ALAC audio format that could have been used for remote code execution on two-thirds of the world’s mobile devices. The vulnerabilities affected Android smartphones powered by chips from MediaTek and Qualcomm, the two largest mobile chipset manufacturers.
  • Check Point Research identified a vulnerability in the Everscale blockchain wallet. If exploited, the vulnerability would have given an attacker full control over a victim’s wallet and subsequent funds. The vulnerability was discovered in the web version of Everscale’s wallet, known as Ever Surf. Available on Google Play Store and Apple’s App Store, Ever Surf is a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network.
    Blockchain

    Blockchain Security 101Every year, ordinary people lose money in blockchain hacks. Could it be that this technology is simply insecure by nature? Or is there something we’re all missing — something that can save this industry, and the millions of people who’ve invested their hard-earned money into it, from squandering billions of dollars every year? Tune in to CP our Podcast channel for this insightful podcast

    READ MORE

TIMELINE OF 2022'S KEY CYBER EVENTS

May
  • Costa Rica has declared a State of Emergency following a devastating 200 attack by the Conti gang. The attack affected many governmental organizations, including The Finance Ministry, The Costa Rican Social Security Fund, and The Ministry of Science, Innovation, Technology, and Telecommunications. An estimated $200 million was lost due to disruptions related to the tax and customs platforms. The Conti Ransomware gang has allegedly taken its infrastructure offline after its leaders announced they were reorganizing their operation. The news comes a few days after Conti extorted Costa Rica. Conti members are believed to be currently migrating and rebranding into smaller ransomware operations.
  • Lincoln College, a 157-year-old institution in Illinois, has announced it will indefinitely close after a significant ransomware attack that occurred in December 2021 took a toll on the school operations.
  • Sberbank, a Russian banking services organization, has been the target of continuous attacks in the past month by Pro-Ukraine hackers. The bank recently suffered the largest distributed denial-of-service (DDoS) attack ever recorded, measured at 450GB/sec.
  • Russian state-sponsored hacking group, Turla, has been launching a reconnaissance campaign against the Austrian Economic Chamber, a NATO platform, and the Baltic Defense College.
    Ransomware

    How the Evolution of Ransomware Changed the Threat Landscape From WannaCry to Conti: A 5 Year Perspective

    READ MORE

TIMELINE OF 2022'S KEY CYBER EVENTS

June
  • CERT Ukraine has issued a warning concerning Russian hackers, possibly the state-sponsored APT group Sandworm, launching attacks exploiting the Follina critical vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool. The campaign leverages malicious emails with DOCX attachments targeting media and news outlets in Ukraine.
  • The largest ever-recorded HTTPS DDoS attack has recently been mitigated, with 26 million request per second. The attack targeted a Cloudflare customer and originated from cloud service providers rather than residential internet service providers, indicating the use of hacked virtual machines.
  • Microsoft has issued a fix to address the critical Follina vulnerability (tracked CVE-2022-30190) which has been exploited in the wild, recommending users to urgently update and patch.
  • Russian intelligence services have reportedly increased attacks against governments and NGOs supporting Ukraine in 42 different countries, with the goal to obtain sensitive information from NATO countries’ agencies.
    Follina

    Check Point customers among the first to be protected from Follina Vulnerability Check Point customers were protected on the same day Follina was discovered (May 30th). Utilizing Harmony Endpoint and Threat Emulation behavioral protections

    READ MORE

TIMELINE OF 2022'S KEY CYBER EVENTS

July
  • Both Norway and Lithuania were victims of large-scale DDoS. The attacks are assumed to have been carried out by separate pro-Russian hacker groups, with the goal of discouraging the nations’ support of Ukraine.
  • Twitter has suffered a data breach after threat actors used a vulnerability to build a database of phone numbers and email addresses belonging to 5.4 million accounts, with the data now up for sale on a hacker forum for $30,000. It has been reported on a stolen data market that the database contains info about various accounts, including celebrities, companies, and random users.

TIMELINE OF 2022'S KEY CYBER EVENTS

August
  • Atlassian Confluence critical vulnerability tracked CVE-2022-26138 has been exploited in the wild. Unauthenticated actors could leverage the flaw remotely to gain unrestricted access to all pages in confluence. In addition, CISA issued a warning and ordered US federal agencies to address the vulnerability.
  • Cisco confirms it has been breached by the Yanluowang ransomware group. The initial access was gained after the threat actor gained an employee’s Google account credentials, saved in their browser, and after getting an MFA push accepted by the user. The company says that while there have also been signs of pre-ransomware activity, no ransomware has been deployed on Cisco’s systems.
  • The pro-Russian hacker group Killnet publicly targeted Lockheed Martin, calling other hacker groups to join in on attacks. At this point Killnet claims to be responsible for a recent DDoS attack on the company, and tells they have obtained personal data of the company’s employees; claims were denied by the American corporation.
    Data Breach

    Data Breaches. Is your Business Protected?Download our guide to learn more about data breaches and the best practices you must follow to prevent them.

    READ MORE
  • South Staffordshire Water, UK’s largest water company supplying 330M liters of drinking water to 1.6M consumers daily, has been a victim of ransomware attack launched by Cl0p, a Russian-speaking ransomware gang. The group caused disruption of the company’s IT systems, allowing them access to more than 5TB of data including passports, screenshots from water treatment SCADA systems, driver’s licenses, and more.
  • Apple has issued an urgent patch for two zero-day flaws actively exploited by attackers to hack iPhones, iPads, or Macs. Among them is CVE-2022-32893, an out-of-bounds write vulnerability in WebKit that ​would allow an attacker to perform arbitrary code execution, and CVE-2022-32894, an out-of-bounds write vulnerability in the operating system’s kernel that would allow an attacker to execute code with kernel privileges.
  • Check Point Research has discovered an active cryptocurrency mining campaign imitating “Google Translate Desktop” and other free software to infect PCs. Created by a Turkish speaking entity called Nitrokod, the campaign counts 111,000 downloads in 11 countries since 2019.
    Hacktivism

    The New Era of Hacktivism – State-Mobilized Hacktivism Proliferates to the West and Beyond In the past year, things have changed. As one of the multiple fallouts of conflicts in Eastern Europe and the Middle East, some hacktivism groups stepped up their activities in form and focus to a new era; Hacktivism is no longer just about social groups with fluid agendas.

    READ MORE

TIMELINE OF 2022'S KEY CYBER EVENTS

September
  • A traffic jam was generated in Moscow in a kind of physical DDoS attack, as attackers hacked Russian taxi service Yandex, and ordered dozens of cars to a specific location. The Anonymous collective claims to be behind this attack.
  • Multiple cyberattacks linked to Iran have been disrupting Albania’s government systems since July, forcing them to shut down some online services. In response, Albania’s government halted its diplomatic ties with Iran, ordering staff to leave within 24 hours. The latest attack which occurred over the weekend, allegedly by the same actor, targeted the Albanian Police’s computer system, forcing officials to take its TIMS system, used for immigration data tracking, offline.
  • Uber has suffered a data breach, allegedly by an 18-year-old hacker who managed to gain access using social engineering tactics on an employee. The hacker claims to have access to Uber’s internal IT systems and to the company’s HackerOne bug bounty account, which contains vulnerabilities in Uber’s systems and apps, disclosed privately by security researchers. Uber claims that the users’ private information was not compromised.
  • A new record-breaking DDoS attack in has been recorded this week, peaking at 704.8 Mpps, about 7% higher than the previous attack recorded on the same European organization last July.

TIMELINE OF 2022'S KEY CYBER EVENTS

October
  • Hacktivist groups around the world have taken aim at the Iranian regime, as protests throughout the country continue. The groups have been leaking information relating to Iranian government officials, and offering support to the protesters in sharing information and evading censorship.
  • Personal information of 10 million Australians has been stolen in a breach of telecom company Optus. The data includes sensitive information, such as passport and healthcare details. While the hackers initially demanded a 1M USD ransom, they later retracted their demand due to the high attention drawn to the hack and the law enforcement operation initiated to identify the attackers.
  • Check Point Research published a report studying the rising trend of state-mobilized Hacktivism. While in the past Hacktivist groups tended not to affiliate themselves with national interests, groups nowadays take part in state-directed efforts, driven by geopolitical conflicts.
  • Russian-speaking threat group Killnet claims responsibility for attacks taking down different US state government websites, including those of Colorado, Kentucky, Mississippi and others.
  • Online shopping company Woolworths has reported a data breach impacting over two million Australian users of its MyDeal subsidiary. The company said the breach was due to a compromised user credential that was used to gain unauthorized access to MyDeal’s customer relationship management system. Several Australian companies have been breached during October – The country’s largest health insurance firm, Medibank, froze trading on the Australian stock exchange after confirming a 200GB data breach; In a breach of wine retailer Vinomofo’s network data of over 500,000 customers was leaked; an attack on energy company EnergyAustralia exposed payment data of hundreds of the company’s customers.
  • Russian-affiliated hacktivist group ‘Killnet’ has launched a DDoS attack against government websites in Bulgaria, causing them to become inaccessible. Killnet said that Bulgaria was targeted due to its “betrayal to Russia” and the supply of weapons to Ukraine.
  • The Largest copper manufacturer in Europe – Aurubis – has been the victim of a cyberattack that targeted its IT systems and forced the company to shut down many of its sites’ systems.
  • Check Point Research found that global attacks increased by 28% in the third quarter of 2022, with education/research as the most attacked industry overall, and the healthcare sector the most targeted industry in ransomware attacks.
  • OpenSSL, used widely for secure communications, gave heads-up for a critical vulnerability in versions 3.0 and above that will be published on Tuesday, November 1st. eventually the vulnerabilities published were downgraded to ‘high’ severity

TIMELINE OF 2022'S KEY CYBER EVENTS

November
  • IT Army of Ukraine claim to have gained access to Russia’s Central Bank. They published 27K of the leaked files, containing personal, legal, and financial data.
  • Check Point Research identified a new and unique malicious package on PyPI, the leading package index used by developers for the Python programming language. The package was designed to hide code in images and infect through open-source projects on Github.
  • The Azov ransomware is being distributed worldwide to encrypt victim files, while in fact an analysis by Check Point Research proves that Azov ransomware is a data wiper aimed at destroying data with no way to recover the files.
  • Meta has fired dozens of employees, after the employees had received thousands of dollars in bribes by outside hackers in return for granting access to users’ Facebook or Instagram profiles. The employees used the company’s internal support tool, which allows full access to any user account.
  • The European Parliament website has been attacked following a vote declaring Russia a state sponsor of terrorism. The pro-Russian hacktivist groups Anonymous Russia and Killnet, have claimed responsibility for the attack, causing an ongoing DDoS (Distributed Denial of Service).
  • Black Basta ransomware group is running a campaign targeting organizations in the United States, Canada, United Kingdom, Australia, and New Zealand. The group uses QakBot (AKA QBot, Pinkslipbot) banking Trojan to infect an environment and install a backdoor allowing it to drop the ransomware.
    Azov Ransomware

    Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic WiperCPR provides under-the-hood details of its analysis of the infamous Azov Ransomware

    READ MORE

TIMELINE OF 2022'S KEY CYBER EVENTS

December
  • Cyber criminals who breached Australian Medibank’s systems have released another batch of data onto the dark web, claiming that the files contain all data harvested in the former heist that impacted 9.7 million customers in October 2022. Medibank has confirmed the data breach.
  • Researchers found that over 300,000 users across 71 countries were effected by an Android campaign meant to steal Facebook credentials. This is by using Schoolyard Bully Mobile Trojan, deployed in legitimate education-themed applications, which were available in the official Google Play Store.
    Store

    Protection against Android Malware

    READ MORE
  • Check Point Research has analyzed the activity of cyber-espionage group Cloud Atlas. Since its discovery in 2014, the group has launched multiple, highly targeted attacks on critical infrastructure across geographical zones and political conflicts, however its scope has narrowed significantly in the last year, with a clear focus on Russia, Belarus and conflicted areas in Ukraine and Moldova.
  • As artificial intelligence (AI) models grow more and more popular, Check Point Research discusses the risks and upsides of the technology. CPR demonstrates how AI technologies, like ChatGPT and Codex, can easily be used to create a full infection flow, from spear-phishing to running a reverse shell, and provides examples of the positive impact of AI on the defenders’ side.
01
January
02
February
03
March
04
April
05
May
06
June
07
July
08
August
09
September
10
October
11
November
12
December