Last Updated on August 22, 2017

Here we go with the second timeline of July (first part here) covering the main cyber attacks occurred between July 16 and 31. A fortnight so rich of events, that I really do not know where to start from…

So, it looks like cryptocurrency is the new frontier for cybercriminals since this fortnight has recorded three attacks directed towards cryptocurrency exchange organizations (or their users): CoinDash, Veritaseum and the users of Parity’s Ethereum will remember this July for a long time.

But despite all this attention towards cryptocurrency, the megabreaches are not over… This fortnight has revealed the occurrence of a massive breach against the Kansas Department of Commerce and the discovery of over 40 million US voter records from nine states in an underground market called RaidForums.

And while the level of attention towards the Russian activity in the cyber space is always high (Reuters have revealed that Russian intelligence agents attempted to spy on President Emmanuel Macron’s election campaign earlier this year by creating phony Facebook personas), new and all threat actors emerge (like DarkHotel, an old acquaintance; SpringDragon, targeting some high-profile organizations around the South China Sea; CopyKittens, targeting several countries including Israel, Saudi Arabia, the United States, Germany, Jordan and Turkey; CobaltGipsy (a group allegedly linked to Iran); and FIN7, targeting a US-based restaurant chain.

Other interesting events include: the discovery of two attacks against Unicredit, the main Italian bank (400,000 records compromised), an attack against a FireEye analyst, the leak of an episode of Game of Thrones, part of a trove of 1.5 TB of data stolen from HBO, and an endless trail of campaigns against Android users: GhostCTRL, Stantinko, Lipizzan, a version of Triada “bundled” with some cheap Chinese devices, and Svpeng.

As usual scroll down the whole list for all the events happened in this fortnight. And if you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013, 2014, 2015 and 2016 (regularly updated). You may also want to have a look at the Cyber Attack Statistics that are regularly published, and follow @paulsparrows on Twitter for the latest updates.

Additionally, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts), and if useful, you can access the timeline in Google Sheet format.

IDDateAuthorTargetDescriptionAttackTarget ClassAttack ClassCountry
116/07/2017?South Carolina's Voter Registration SystemAccording to a post-election report by the South Carolina State Election Commission, South Carolina's voter registration system was reportedly hit by almost 150,000 hack attempts on Election Day 2016.>1GovernmentCWUS
216/07/2017?Twitter usersZeroFOX Threat Research reveal the details of a large-scale, spam pornography botnet on Twitter dubbed SIRENAccount HijackingSingle IndividualsCC>1
317/07/2017?UK Energy SectorThe National Cyber Security Centre (NCSC), part of the UK's intelligence agency GCHQ, issues a warning about hackers targeting the country's energy sector, and says that some industrial control system organizations are likely to have been successfully compromised.Targeted AttackUtility: EnergyCWUK
417/07/2017?CoinDashAn unknown hacker takes over the official website of the CoinDash platform and modifies an Ethereum wallet address during the company's ICO (Initial Coin Offering) being able to steal $7 million worth of Ethereum.UnknownCryptocurrency ExchangeCCUS
517/07/2017?Android UsersTrend Micro reveals the details of GhostCtrl, an Android malware able to take control of devices to spy, steal and do its bidding.MalwareSingle IndividualsCC>1
617/07/2017?Customers of international and U.S.-based financial institutions.Researchers from Flashpoint observe a new, Necurs-powered Trickbot spam campaign developed to target and infect customers of international and U.S.-based financial institutions.MalwareFinanceCC>1
718/07/2017?Women’s Health Care Group of PA (WHCGPA)Women’s Health Care Group of PA (WHCGPA) reveals to have been hit by ransomware on May 16, 2017. 300,000 patient records are affected.MalwareHealthcareCCUS
818/07/2017?KQEDKQED, a San Francisco radio station is still recovering from a ransomware attack, nearly one month after.MalwareOrg; Non-ProfitCCUS
918/07/2017?Sarah HylandNude photos and video of Sarah Hyland are leaked online.Account HijackingSingle IndividualCCUS
1019/07/2017DarkHotelPolitical figures and senior business usersBitdefender reveals a new high-level spear-phishing attack targeting political figures and senior business users. Dubbed 'Inexsmar', the attack appears to be operated by the DarkHotel group, which has been perpetrating similar threats since 2007.Targeted AttackSingle IndividualsCE>1
1119/07/2017?Individuals using Parity's Ethereum walletA vulnerability in Parity's Ethereum wallet software is exploited by thieves to rob victims on a massive scale. Targeted accounts are drained of 150,000 coins worth just over US$30 million at the current price.VulnerabilitySingle IndividualsCC>1
1219/07/2017?LoblawsAccording to an email sent out to Loblaws account holders, the security of a ‘small number’ of accounts has been compromised, marking the second time the company has suffered a security breach this year. Comprised websites include, and, as well as other Loblaws grocery chain websites.UnknownIndustry: RetailCCCA
1320/07/2017?Kansas Department of CommerceA security breach in the Kansas Department of Commerce exposes millions of Social Security numbers from people across 10 states to hackers. Many other accounts are also attacked.UnknownGovernmentCCUS
1420/07/2017?Newcastle UniversityNewcastle University issues an alert, warning prospective students to be careful when seeking to apply and pay online for courses, after discovering the existence of a sophisticated phishing scam.Account HijackingEducationCCUK
1520/07/2017?Android UsersAccording to a new report released by ESET, over 500,000 users have had their computers infected with a stealthy malware named Stantinko.MalwareSingle IndividualsCC>1
1621/07/2017?Bank of America customersA new campaign targets Bank of America customers via emails pretending to be from representatives of the Bank of America.Account HijackingFinanceCCUS
1721/07/2017?University of Vermont Medical CenterUniversity of Vermont Medical Center notifies 2,300 patients of a phishing incident occurred back in May 2017.Account HijackingHealthcareCCUS
1823/07/2017chikri95Kylie Jenner's Snapchat accountKylie Jenner's Snapchat account is hacked. The attacker claims to reveal nude pictures.Account HijackingSingle IndividualCCUS
1923/07/2017@headassgangVictoria Justice's Twitter accountVictoria Justice's Twitter account is hacked. The attacker claims to reveal nude pictures.Account HijackingSingle IndividualCCUS
2024/07/2017?VeritaseumAnother day another Ethereum related breach. This time the target is Veritaseum, whose Initial Coin Offering (ICO) suffers a data breach in which around US$8.4 million worth of Ethereum are stolen.UnknownCryptocurrency ExchangeCCUS
2124/07/2017Spring DragonSome high-profile organizations around the South China Sea.Kaspersky Lab reveals the details of a new wave of attacks carried on by a long running APT actor dubbed Spring Dragon.Targeted Attack>1CECN
2225/07/2017?Over 110,000 people from EdinburghCybercriminals have reportedly been found selling personal information of over 110,000 people from Edinburgh on an unspecified dark web marketplaceUnknownGovernmentCCUK
2325/07/2017LoganOver 40 million US voter recordsA dark web vendor is reportedly selling over 40 million US voter records from nine states in an underground market called RaidForums. The data being sold allegedly includes full names, addresses, voter IDs, voter status and party affiliations.Account HijackingGovernmentCCUS
2425/07/2017CopyKittensSeveral countries including Israel, Saudi Arabia, the United States, Germany, Jordan and TurkeyTrend Micro reveals the details of a new massive cyber espionage campaign called "Operation Wilted Tulip", carried on by CopyKittens, an Iran-linked cyber espionage group targeting several countries including Israel, Saudi Arabia, the United States, Germany, Jordan and Turkey.Targeted Attack>1CE>1
2525/07/2017?Single IndividualsKaspersky Lab analysts detect CowerSnail, a malicious program for Windows apparently created by the same group responsible for SambaCry.MalwareSingle IndividualsCC>1
2625/07/2017?942,609 Yorkshire peopleThe Yorkshire Post reveals that the personal data of 942,609 Yorkshire people is listed for sale on an underground marketplace.Account HijackingSingle IndividualsCCUK
2726/07/2017?Android UsersGoogle discovers a new family of spyware called Lipizzan containing references to a cyber arms company called Equus Technologies.MalwareSingle IndividualsCE>1
2826/07/2017?UniCreditUniCredit SpA, Italy’s No. 1 bank, says that hackers took biographical and loan data from 400,000 client accounts. The attack occurred in September and October of 2016 and June and July of this year.Unknown (third party breach)FinanceCCIT
2927/07/2017Russia?Macron CampaignReuters reveals that Russian intelligence agents attempted to spy on President Emmanuel Macron's election campaign earlier this year by creating phony Facebook personas.Account HijackingGovernmentCEFR
3027/07/2017?Virgin AmericaVirgin America confirms that a hacker broke into its corporate network earlier this year on March 13.UnknownIndustry: AirlineCCUS
3127/07/2017CobaltGipsy (a group allegedly linked to Iran)Several entities in the Middle East and North Africa with a focus on Saudi Arabian organizationsSecurworks reveal the details of a group, allegedly linked to Iran, dubbed "Cobalt Gypsy", reportedly using well-established fake online personas of attractive women to befriend targets, gain their trust and later dupe them into opening malicious software that could provide hackers with "full access" to private computer networks.Targeted Attack>1CE>1
3227/07/2017?Critical InfrastructuresThe Epoch Times reveals that an underground dark web marketplace, dubbed CMarket, is selling access to the private computer networks of critical infrastructure targets, including power plants, government departments, hospitals, financial firms and airlines in exchange for bitcoinUnknown>1CC>1
3327/07/2017?Unnamed Canadian OrganizationCytelligence reveals that an undisclosed Canadian organization has reportedly paid criminals $425,000 in bitcoin after its systems were crippled in a ransomware attack.MalwareN/ACCCA
3428/07/2017?CIAWikiLeaks publishes three new alleged CIA hacking tools as part of its new Vault 7 dump.UnknownGovernmentHUS
3528/07/2017?Plastic Surgery AssociatesPlastic Surgery Associates reveals that a data breach may have compromised patient records after it was hit with a ransomware attack earlier this year on 12 February.MalwareHealthcareCCUS
3628/07/2017?Bharat Sanchar Nigam Limited (BSNL) and Mahanagar Telephone Nigam Limited (MTNL)The author of the BrickerBot malware claims responsibility for a cyber-attack that took place in various Indian states and causes over 60,000 modems and routers to lose Internet connectivity.MalwareIndustry: TelcoCCIN
3728/07/2017?Android UsersSecurity researchers from Dr.Web find the Triada malware inside the firmware of several low-cost Android smartphones, such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.MalwareSingle IndividualsCC>1
3828/07/2017?WestJetWestJet says it is working with police in Calgary and the RCMP cybercrime unit after some members' profile data were disclosed online.UnknownIndustry: AirlineCCCA
3931/07/2017?HBOHBO joins the ranks of Hollywood entertainment companies to suffer a major cyber attack. The company network is compromised and the attacker claim to have stolen 1.5 TB of data. Few days after they leak an episode of the new season of Games of ThronesUnknownIndustry: EntertainmentCCUS
4031/07/2017?Android UsersKaspersky Lab reveals the details of a new variant of the Svpeng trojan working as a keylogger and stealing data through the accessibility services.MalwareSingle IndividualsCC>1
4131/07/2017?Mandiant (a FireEye company)A Mandiant threat intelligence analyst is the victim of Operation #LeakTheAnalyst. Attackers infiltrate his computer for more than a year and leak some internal data.Targeted AttackIndustry: Information SecurityCCUS
4231/07/2017?Wix.comWebsite-building service reveals to have been the subject of a massive cyber-attack in April 2016 when a botnet of rogue Chrome extensions was creating Wix websites to spread itself to new users.MalwareIndustry: Internet ServicesCCUS
4331/07/2017FIN7U.S.-based chain restaurantsProofPoint researchers reveal that the threat actor commonly referred to as FIN7 has added a new JScript backdoor called Bateleur and updated macros to its toolkit to target U.S.-based chain restaurants.Targeted AttackIndustry: RestaurantsCCUS
4431/07/2017?Copyfish Chrome Web Store AccountPhishers hack Copyfish, an extension for Google Chrome, after compromising the Chrome Web Store account of German developer team a9t9 software and abuse to distribute spam messages to unsuspecting users.Account HijackingSingle IndividualsCCDE

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.