Major Cyberattacks in Review: July 2023

The major cyberattacks of July 2023 included waves of data breaches, affecting both private and public sector entities, including healthcare organizations, financial institutions, and government agencies.

However, the most attention-grabbing incident of the month was the MOVEit Transfer attacks by Clop ransomware, which affected over 20 million individuals and nearly 400 companies. The threat actor’s campaign has raised significant concerns due to the magnitude of the data breaches and the potential consequences for the victims involved.

In this blog post, we delve into some of the major cyberattacks that occurred during July 2023.

Israeli Oil Refinery BAZAN Group’s Website Hacked by ‘Cyber Avengers’, SCADA Systems Exposed

Iranian hacktivist group ‘Cyber Avengers’ claimed responsibility for hacking Israel’s largest oil refinery operator,BAZAN Group, causing its website to be inaccessible from most parts of the world. The group leaked alleged screenshots of BAZAN’s SCADA systems, while the company dismissed the materials as “entirely fabricated.” 

The hacktivist group suggested they breached the company via an exploit targeting a Check Point firewall, though Check Point denied any past vulnerability enabling such an attack. Cyber Avengers had previously claimed responsibility for fires at Haifa Bay petrochemical plants in 2021 and attacks on Israeli railway stations in 2020.

Modern Warfare 2 Servers Offline Due to Self-Spreading Worm

On July 26th, the Call of Duty: Modern Warfare 2 servers were taken offline by Activision in response to players’ concerns about a self-spreading worm virus infecting the PC version of the game. 

The malware, identified as Trojan:Win32 Wacatac.B!ml, had surfaced on the Steam discussion page. The servers were later restored, but the excitement was short-lived as the virus persisted. Researchers suspect hackers used hacked lobbies to spread the virus automatically from one user to another. This is not the first cybersecurity incident faced by the gaming giant, as earlier this year, they were targeted in an SMS phishing attack, leading to data breaches.

Discover the alarming rise in cyberattacks targeting the gaming industry throughout 2022 in our blog post.

NATO Investigates Alleged Data Theft from COI Cooperation Portal

NATO is investigating an alleged data theft hack on the Communities of Interest (COI) Cooperation Portal by hacking group SiegedSec. The group posted on Telegram, claiming to have stolen hundreds of documents from the unclassified information-sharing platform.

CloudSEK analyzed the leaked data, which includes 8,000 rows of sensitive information, impacting 31 NATO member nations. The hackers, likely hacktivists, state the attack is in protest of NATO’s actions on human rights, not related to the Russia-Ukraine conflict.

NATO recently issued an alert for cyberattacks targeting NATO countries, read more on our blog.

Lazarus Group Strikes: Massive Hacks on Alphapo and CoinsPaid

The notorious North Korean hacker group, Lazarus, targeted two major cryptocurrency entities, resulting in staggering losses. In a massive hack on Alphapo, a payment processor associated with gambling and e-commerce sites, over $60 million was drained from hot wallets in cryptocurrencies like Ethereum, Bitcoin, and Tron. The attackers cleverly swapped the stolen funds into stablecoins and Bitcoin via Avalanche.

In a separate incident, Estonian crypto-payments service provider CoinsPaid reported a $37.2 million cyber attack, also attributed to Lazarus. The group’s involvement in both attacks signals its ongoing ambition to amass stolen funds, which is estimated to be over $2 billion from various high-profile crypto heists in the past.

Egyptian Ministry of Health and Population Data Breach: Two Million Records Allegedly Stolen

On July 25, 2023, an ‘established’ threat actor claimed to have acquired two million data records from the Egyptian Ministry of Health and Population. SOCRadar and dark web monitoring firm Falcon Feeds reported the allegation. The stolen database allegedly contains extensive personal patient information, including names, IDs, national numbers, phone numbers, addresses, procedure classification details, diagnoses, and treatment details. The threat actor provided a sample of the dataset to validate their claim, and they have a history of selling databases from previous breaches, indicating financial gain as their primary motivation.

Tampa General Hospital Breach: 1.2 Million Patients’ Data Compromised in Failed Ransomware Attack

Tampa General Hospital recently disclosed a security breach where hackers accessed its network and stole files containing the protected health information of up to 1.2 million patients. The breach was detected on May 31, 2023, prompting immediate action to prevent further unauthorized access.

A digital forensics firm was engaged to investigate the incident and confirmed that unauthorized individuals had access to the network for three weeks in May 2023. The stolen data included various patient information, but the hospital’s security systems successfully prevented files from being encrypted during the attempted ransomware attack.

Clop Ransomware’s MOVEit Exploitation Campaign Has Affected Over 20 Million Individuals

DHL is the latest company to fall victim to the Clop ransomware gang’s exploitation of the MOVEit bug. Despite Progress Software’s patching of the software, cybercriminals continue to find unpatched targets. The impact of this attack is widespread, with at least 383 organizations affected and the personal information of 20,421,414 individuals leaked, as reported by Emsisoft researchers.

Among the recent victims, Ernst & Young’s clients had critical information exposed, including financial reports, accounting documents, passport scans, Visa scans, risk and asset management documents, contracts, agreements, credit reports, and account balances.

The US government services contractor Maximus also suffered a MOVEit data breach, with personal data stolen from 8 to 11 million individuals. Maximus manages various government-sponsored programs, including healthcare and student loan servicing across the US, Canada, Australia, and the UK. The Clop group claims to have successfully stolen 169GB of personal data from Maximus’ MOVEit Transfer server, but they have not yet revealed the stolen data.

As the list of affected companies grows, the ransomware gang employs more pressure by creating clear web leak sites dedicated to leaking stolen data from specific companies. PwC (PricewaterhouseCoopers) was among the first to have such a leak site during the MOVEit breaches, making the stolen data easily accessible to a wider audience. 

Read more about the MOVEit data breach and related vulnerabilities on our blog. 

See the Dark Web Profile of Clop Ransomware Group here.

HCA Healthcare Admits Possible Theft of 11 Million Patients’ Data

U.S. healthcare giant HCA Healthcare revealed that approximately 11 million patients’ data may have been stolen and offered for sale on a cybercrime forum. HCA operates 180 hospitals and 2,300 sites in over a dozen U.S. states, with additional services for U.K. residents. 

A hacker claimed to have 27 million rows of information on July 4, 2023 and threatened HCA to meet their demands until July 10, 2023 without specifying demands. The breached data includes patient names, addresses, email addresses, phone numbers, dates of birth, and appointment details, but does not contain clinical or financial information.

The method of the data breach and the identity of the hacker remain unknown. HCA has not disclosed when it became aware of the theft or how the data was taken. 

Hacktivist Bjorka Offers 35 Million Indonesian Passport Holder’s Data for Sale on Dark Web

Infamous hacktivist Bjorka offered the personal information of nearly 35 million Indonesian passport holders for $10,000 on the dark web. Bjorka, known for criticizing the Indonesian government and exposing lawmakers on social media, has prompted the government to investigate a potential breach of the Directorate General of Immigration’s network.

The data for sale included passport holders’ full names, birthdates, genders, passport numbers, and passport validity dates. Security researcher Teguh Aprianto confirmed the validity of the data, with a timestamp ranging from 2009 to 2020.

The Indonesian Ministry of Communication and Informatics, Kominfo, is also looking into reports of the alleged theft of personal information from 34.9 million Indonesians.

Crypto Platform Multichain Halts Services After $125 Million Hack

Crypto platform Multichain suspended its services due to a cyberattack resulting in the theft of over $125 million in cryptocurrency. The company specializes in cross-chain services, enabling users to transfer funds across different blockchains, and had previously touted its security and speed.

Multichain revealed that some of its assets had been moved to an unknown address abnormally, prompting an immediate investigation. Users were urged to halt the use of Multichain services and revoke any related contract approvals. Hours later, Multichain confirmed the hack and stopped all services, warning that bridge transactions in progress would be stuck on the source chains.

The following day, the company posted an apology on its website, stating that they had been hacked and pledged to personally refund all lost user funds. They also advised users to claim their refunds and revoke app approvals to Multichain.

Experts from various blockchain security firms estimate the losses at approximately $126 million, with stolen funds including coins like USDT, ETH, Bitcoin, and more.

Nickelodeon Confirms 500GB Data Leak, Pursues Legal Action

Nickelodeon has confirmed the legitimacy of a substantial data leak, totaling around 500GB of files, which includes unreleased television shows, scripts, and other materials. The breach was first observed in January 2023 and occurred due to an authentication issue within Nickelodeon’s “consumer products and experience” portal, granting unauthorized access to the sensitive content in the animation department.

The leaked data has been reposted in various locations after initially surfacing on a private Discord server. Researchers and users have encountered lists of Nickelodeon’s animation pitch bibles circulating online. Notably, the leak does not involve user or employee information.

Additionally, on July 2, 2023, GhostyTongue on Twitter reported that a private Discord server had recently shared a URL to download an entirely new leak, purportedly containing the source code for all Nickelodeon Flash Games. Furthermore, a user on 4chan claimed to possess insider information about the breach, stating that Nickelodeon’s internal database had been compromised for over a year, potentially impacting all current productions. 

As the investigation unfolds, Nickelodeon continues to address the situation and take measures to safeguard its sensitive content. The company has imposed strict consequences on individuals discussing or sharing the leaked materials.

Poly Network Platform Suffers Cyber Attack Resulting in Theft of $42 Billion Worth Cryptocurrency

Poly Network platform faced a cyber attack that led to the theft of millions of dollars’ worth of crypto assets. Poly Network is a decentralized interoperability protocol facilitating cross-chain transactions between various blockchain networks.

The attack affected 57 crypto assets on 10 blockchains. Poly Network suspended its services after sharing a Google spreadsheet displaying the stolen crypto assets, and began investigating the security breach to assess the full extent of the incident. The attackers made off with approximately $42 billion worth of cryptocurrency, according to BlockChain security firm PeckShield, prompting the company to notify centralized exchanges and law enforcement agencies to identify and block fraudulent transactions. 

Binance CEO Changpeng Zhao reassured Binance users that their accounts were not affected and Poly Network hopes the attacker will return the stolen assets to avoid legal consequences.

Anonymous Sudan Claims Hack of 30M Records, but Microsoft Denies Legitimacy

Anonymous Sudan made bold assertions on Telegram about hacking Microsoft and obtaining a vast database comprising over 30 million accounts, emails, and passwords. The group further declared their intention to sell the data for $50,000 and presented a “small sample” as evidence. However, Microsoft swiftly countered the claim, stating that their analysis indicated the data was not legitimate and merely an aggregation.

This is not the first time Anonymous Sudan has troubled Microsoft; in a previous incident, the group was held responsible for conducting Layer 7 DDoS attacks against the company.

SOCRadar XTI: Your Proactive Shield Against Cyber Threats

SOCRadar Extended Threat Intelligence, equipped with advanced monitoring algorithms, diligently tracks threat actors, malware, vulnerabilities, and associated trends to offer up-to-date insights on the latest emergences. With the powerful combination of asset monitoring and real-time alerts, alongside a continuous stream of actionable intelligence on our platform, organizations can efficiently safeguard themselves against threat actors looking to exploit their vulnerabilities, and elevate their cybersecurity defenses to new heights. 

Sign up for SOCRadar Freemium to stay vigilant against the evolving cyber threats and enhance your overall security posture.