SOCRadar® Cyber Intelligence Inc. | Major Cyberattacks in Review: September 2023


Oct 06, 2023
6 Mins Read

Major Cyberattacks in Review: September 2023

In September 2023, a surge of cyber incidents underscored the persistent and evolving threats confronting organizations.

Key events that marked the month included the resurgence of the USDoD hacker, who leaked data from thousands of Airbus vendors. Additionally, MGM Resorts fell victim to a cyberattack that gravely disrupted its business. Clop ransomware’s MOVEit campaign expanded its reach to over 2,000 organizations, continuing to wreak havoc. Furthermore, several cryptocurrency firms faced substantial losses due to cyberattacks, with one losing a staggering $200 million in assets. 

In this blog post, we will explore the notable cyberattacks of September 2023 to gain a comprehensive understanding of these incidents, and the evolving threat landscape.

25M Files Stolen From Motel One in BlackCat Ransomware Attack

motel one, cyberattack september 2023

On September 30, 2023, BlackCat Ransomware (ALPHV) claimed to have breached the IT infrastructure of Motel One, a German hotel chain. 

The group claimed to have extracted a substantial amount of data, including booking confirmations for the past 3 years containing names, addresses, dates of reservation, payment methods, and contact information. A total of 24,449,137 files, roughly equivalent to 6TB of data was stolen.

The hackers issued a warning and a five-day ultimatum for a response from Motel One to avoid the data leak. 

BlackCat Ransomware Targeted McLaren Healthcare 

mclaren healthcare, cyberattack september 2023

One of Michigan’s largest healthcare systems, McLaren HealthCare, faced a ransomware attack. McLaren operates 13 hospitals and various medical services, with over 28,000 employees. 

The attack resulted in network outages at 14 facilities, impacting billing and electronic health record systems. BlackCat Ransomware (ALPHV) claimed responsibility for the attack, boasting of stealing 6 TB of data, including personal information and hospital videos.

Massive DDoS Attack on Russian Flight Booking System Caused Airport Delays

aeroflot leonardo, ddos attack

Russian flight booking system Leonardo was hit by a massive DDoS attack, resulting in airport delays. The attack affected several carriers, including Rossiya Airlines, Pobeda, and Aeroflot, causing delays at Moscow’s Sheremetyevo International Airport.

The Ukrainian hacktivist group “IT Army” claimed responsibility for the attack. Russian state defense company Rostec reported ongoing “large-scale and unprecedented” attacks on the system, with multiple attempts recorded in September 2023.

Ransomware Attack on Johnson Controls: Attackers Stole 27TB of Corporate Data

johnson controls, cyberattack september 2023

Dark Angels Team, a hacking group, launched a ransomware attack on Johnson Controls International, a multinational conglomerate specializing in industrial control systems and security equipment. 

The attack encrypted various company devices, including VMware ESXi servers, and 27TB of corporate data was stolen. As a result, Johnson Controls International had to temporarily shut down parts of its IT systems, and during this time, several of its subsidiaries displayed outage messages on website login pages and customer portals.

RansomedVC Breached Sony, Another Threat Actor Leaked the Data

ransomedvc, sony data leak, data breach, ransomware, september 2023

A newly emerged ransomware group, RansomedVC, has declared that it successfully infiltrated all of Sony’s systems and has offered the data for sale.

A member of the RansomedVC group posted on a hacker forum, asserting that they had managed to breach Sony’s infrastructure, which includes Jenkins, SVN, SSH, SonarQube, and Creator Cloud Development.

‘MajorNelson,’ another threat actor, suggested that RansomedVC has fabricated the data breach news as a tactic to gain influence. MajorNelson has leaked the data that RansomedVC claimed to possess on a forum post, which included credentials for the internal systems described in RansomedVC’s post.

Dive into the details of the breach on our blog post: What You Need to Know About the Alleged Sony Breach (

Mixin Network Lost $200M in Assets After Cloud Vendor’s Hack

mixin network, hack, cloud, crypto

A cryptocurrency business located in Hong Kong, Mixin Network, revealed that hackers had pilfered approximately $200 million in assets by targeting its cloud service provider. According to the company, the breach occurred on September 23, prompting the temporary suspension of deposit and withdrawal services. 

MOVEit Breach Affected 2,000+ Organizations: Latest Victims in Education and Healthcare Sectors

progress moveit, clop ransomware, data breach, moveit hack

The number of victims tied to the Clop Group’s MOVEit attacks has surged, affecting over 2,000 organizations.

In September, the U.S. National Student Clearinghouse (NSC) disclosed a data breach affecting 890 schools. NSC collaborates with over 3,500 U.S. colleges and universities, housing data on 17.1 million students.

Clop ransomware attackers accessed NSC’s MOVEit managed file transfer (MFT) server on May 30, pilfering files containing extensive personal information. 

Additionally, the Hospital for Sick Children (SickKids) was among healthcare providers affected by BORN Ontario’s MOVEit data breach, impacting 3.4 million individuals.

Cyberattack on MGM Resorts Led to Widespread Disruption

mgm resorts hack, september 2023

The cyberattack that occurred on September 10, 2023, targeting MGM Resorts, has been linked to a threat group referred to as “Scattered Spider,” an affiliate of BlackCat/ALPHV. According to reports, this group gained access to MGM’s systems by conducting LinkedIn searches for employees and subsequently posing as the IT help desk.

MGM Resorts, a major player in the hospitality industry, boasts numerous hotels and casinos in Las Vegas and prestigious properties across the United States, including Mandalay Bay, the Bellagio, the Cosmopolitan, and the Aria.

Following the attack, MGM Resorts faced significant repercussions. They had to temporarily shut down substantial segments of their internal networks, resulting in disruptions across their extensive network of more than 30 hotels and casinos worldwide.

For more details, read our blog post: MGM Resorts Hacked by BlackCat Affiliate, ‘Scattered Spider’

USDoD Hacker Leaked Data of 3,200 Airbus Vendors 

airbus hacker, usdod, data leak

The “USDoD” hacker has exposed sensitive data from 3,200 Airbus vendors, revealing their names, contact details, email addresses, physical addresses, and more. The hacker asserts that they acquired access to the Airbus web portal by compromising a Turkish Airlines employee’s account.

Significantly, in December 2022, USDoD offered a database pilfered from the FBI’s “InfraGard” network system. Although remaining low-profile since then, the hacker has resurfaced by declaring their participation in the RansomedVC operation. 

Read our blog post about USDoD for a closer look at the threat actor’s activities.

CoinEx Hot Wallet Hack: Stolen Tokens Amount to $27M

coinex hot wallet hack

On September 12, cryptocurrency exchange CoinEx encountered unusual activity as large amounts were transferred to an address with no prior history, raising suspicions of a potential hack.

Security experts estimated the losses to be around $27 million, and following this incident, the same wallet received substantial transfers from the CoinEx hot wallet. Notable among these transfers were 408,741 Dai stablecoin, 2.7 million Graph (GRT) tokens, 29,158 Uniswap tokens, and numerous other tokens. Hit by Cryptocurrency Hackers: $40M Heist

stakecom hack, cryptocurrency

Hackers stole more than $40 million in cryptocurrency from, a platform that facilitates casino and sports betting with cryptocurrency. 

In early September 2023, the company detected illicit transactions originating from its Ethereum (ETH) and Binance Smart Chain (BSC) hot wallets. 

Hot wallets are less secure than cold wallets as their public and private keys are accessible from the internet, allowing remote access and unauthorized activity – a vulnerability that was evidently exploited in’s breach.