This week witnessed less activity from APT groups but cybercriminals were active none the less trying to social engineer they way into a breach. Enterprises continue to be under pressure along with e-commerce sites, banks, and power plants. The Northwest Territories Power Corporation in Canada was attacked mid-week by hackers who tried to install ransomware. They also posted instructions guiding NTPC’s web visitors on how to access the Dark Web through a TOR browser.
This attack is another instance of a successful deception attack. The hackers were initially trying to conduct attacks to keep cyber defense agencies occupied during the Coronavirus pandemic. In many instances of such attacks, the hackers were not able to do much harm but were able to make their presence felt.
Companies in the pharmaceutical and banking sectors also reported breaches this week. The data that was stolen through a range of attacks over the last 60 days has started to appear on the dark web. Our research found that the number of results (records) available in the Dark Web for certain keywords registered a 35 percent rise in the last 14 days. While some parts of this may be dummy data, there is every reason to believe that some of it might be personal data belonging to victims.
The modus operandi is simple to create diversions to create gaps in cyber defenses that hackers can exploit. While the agencies investigate a diversionary attack, the hackers then go after the actual targets which are often a healthcare provider or a related facility. We have seen such attacks throughout March and April in countries like France, Italy, Germany, and the Czech Republic where hackers tried to disable medical facilities by crippling networks and devices, pilfering personal data, and slowing down medical procedures. Even the World Health Organization was not spared.
With employees connected to critical infrastructure working from unmonitored environments and hackers increasing their attempts to breach them, manufacturing plants, electrical grids, oil and gas, and transportation infrastructure continue to be at risk.
State of geopolitical attacks
While APT actors continue to operate with impunity, they shifted their attention from hacking government communication to targeting lawmakers last week. At least one lawmaker in the UK reported being attacked in an attack with geopolitical motivations. APT actors have also moved away from probing critical infrastructure as the number of APT-backed probing attempts recorded a slight dip last week. This doesn’t look like a trend and seems more like a temporary lull to us and we expect the numbers to pick up in the next 14 days.
Cyberattacks on the transport sector continued to rise in the last 14 days and we expect this trend to continue.
We are issuing an advisory for the following sectors this week:
- Financial services
- Healthcare research labs
- Government – especially lawmakers and government agencies connected with internal/homeland security