It’s time to publish the second interactive timeline of January 2021 covering the main cyber attacks occurred in the second half of this month (you can find the first timeline here).
In this timeline, I have collected 81 events, confirming a slow start for the new year (but you need to consider that this period is still characterized by the massive Orion supply-chain attack that has hit multiple organizations worldwide and was counted as a single operation in the timelines.
Besides the above-mentioned operation, ransomware continues to characterize the threat landscape with nearly 29% of the total events (23 out of 80), but the real number could be even bigger since in some cases, the impacted organizations remain vague on the nature of the threat, mentioning a generic “disruption”.
And besides ransomware, the timeline is rich of multiple events spanning the different areas of cyber crime, cyber warfare, and cyber espionage (including an operation targeting security researchers).
Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
14/01/2021
-
-
Russian, Iranian and Chinese influence actors
United States
The FBI, Department of Homeland Security and eight other agencies warns that "Russian, Iranian and Chinese influence actors are exploiting the U.S. Capitol siege to amplify narratives in furtherance of their policy interest amid the presidential transition.
Fake Websites/Social Network accounts
O Public administration and defence, compulsory social security
CW
US
FBI, Department of Homeland Security, Russia, Iran, China, U.S. Capitol siege
2
15/01/2021
15/1/2021
15/1/2021
?
Atlanta synagogue The Temple
The Atlanta synagogue The Temple is disrupted by a cyber attack.
DDoS
S Other service activities
CC
US
The Temple
3
16/01/2021
16/1/2021
16/1/2021
?
OpenWRT
The OpenWRT forum, a large community of enthusiasts of alternative, open-source operating systems for routers, announced a data breach.
Account Takeover
S Other service activities
CC
N/A
OpenWRT
4
16/01/2021
16/1/2021
16/1/2021
DeroHE
IObit
Windows utility developer IObit is hacked to perform a widespread attack to distribute the strange DeroHE ransomware to its forum members.
Malware
M Professional scientific and technical activities
CC
US
IObit, DeroHE, ransomware
5
16/01/2021
-
-
?
Wentworth golf and country club
The prestigious Wentworth golf and country club warns its 4000 members that their personal details may have fallen into the hands of hackers following a ransomware attack.
Malware
R Arts entertainment and recreation
CC
UK
Wentworth golf and country club, ransomware
6
17/01/2021
17/1/2021
17/1/2021
>
CHwapi Hospital
The CHwapi Hospital in Belgium is hit with a Windows BitLocker attack where threat actors claim to have encrypted 40 servers and 100 TB of data.
Windows Bit locker
Q Human health and social work activities
CC
BE
CHwapi Hospital, Windows BitLocker
7
18/01/2021
-
-
?
Capital Economics
Researchers from Cyble discover a leak of 500K+ records of C-level people from Capital Economics on a Russian-speaking forum.
SQLi
M Professional scientific and technical activities
CC
US
Capital Economics, Cyble
8
18/01/2021
-
-
?
Okanogan County
The Okanogan County is hit with a cyber attack.
Unknown
O Public administration and defence, compulsory social security
CC
US
Okanogan County
9
19/01/2021
-
-
StellarParticle (AKA UNC2452, Dark Halo)
Malwarebytes
Cybersecurity firm Malwarebytes confirms that the threat actor behind the SolarWinds supply-chain attack were able to gain access to some company emails.
Cloud Account Takeover
M Professional scientific and technical activities
CE
US
StellarParticle, UNC2452, Dark Halo, Malwarebytes
10
19/01/2021
From January 8, 2021
From January 8, 2021
FreakOut
Vulnerable Linux servers
Researchers from Check Point discover an active malicious campaign, currently targeting Linux devices running software with critical vulnerabilities.
FreakOut, Check Point, CVE-2021-3007, CVE-2020-7961, CVE-2020-28188
11
19/01/2021
-
-
?
Vulnerable SAP servers
Researchers from Onapsis detect automated probes for servers containing CVE-2020-6207, a severe vulnerability in SAP, a week after a working exploit was published online.
CVE-2020-6207 Vulnerability
Y Multiple Industries
CC
>1
Onapsis, CVE-2020-6207, SAP
12
19/01/2021
-
-
ALTDOS
Bangladesh Export Import Company Limited (BEXIMCO)
Hackers from ALTDOS claim to have successfully attacked BEXIMCO.
Unknown
N Administrative and support service activities
CC
BD
Bangladesh Export Import Company Limited, BEXIMCO
13
19/01/2021
-
5/1/2021
?
Diponegoro University (pak.undip.ac.id)
The Diponegoro University (pak.undip.ac.id) admits that there have been several attempts to breach its servers after 125,000 student's data is leaked.
Unknown
P Education
CC
ID
Diponegoro University, pak.undip.ac.id
14
20/01/2021
-
-
ShinyHunters
Pixlr
ShinyHunters share a database that he claims was stolen from Pixlr while he breached the 123rf stock photo site. Pixlr and 123rf are both owned by the same company, Inmagine.
Cloud misconfiguration
S Other service activities
CC
US
ShinyHunters, Pixlr, 123rf, Inmagine
15
20/01/2021
-
-
?
Multiple targets
An advisory from Netscout reveals that Windows Remote Desktop Protocol (RDP) servers are now being abused by DDoS-for-hire services to amplify Distributed Denial of Service (DDoS) attacks.
DDoS
Y Multiple Industries
CC
>1
Netscout, Remote Desktop Protocol, RDP
16
20/01/2021
-
Early December 2020
?
More than 10 Demand Side Platforms (DSP), primarily Europe-based
Researchers from Media Trust reveal the details of LuckyBoy-3PC, a malvertising campaign deploying cloaking and obfuscation technologies.
Malvertising
S Other service activities
CC
>1
Media Trust, LuckyBoy-3PC
17
20/01/2021
-
-
?
Telecom, healthcare, energy and manufacturing companies
Researchers from Proofpoint discover a campaign sending thousands of messages using Google Forms to target retail, telecom, healthcare, energy and manufacturing companies in an apparent reconnaissance campaign to launch future business email compromises (BECs).
Business Email Compromise
Y Multiple Industries
CC
>1
Proofpoint, Google Forms
18
20/01/2021
Since November 2020
-
Nefilim
Colliers International Group
Colliers International Group, a Canadian real estate services firm, acknowledges that it suffered a cyberattack last November
Malware
L Real estate activities
CC
CA
Colliers International Group, ransomware, Nefilim
19
20/01/2021
10/8/2020
Between 05/08/2020 and 17/08/2020
?
Einstein Healthcare Network
Einstein Healthcare Network announces that it began mailing letters to patients whose information may have been involved in a data security incident involving unauthorized access to employees’ email accounts.
Account Takeover
Q Human health and social work activities
CC
US
Einstein Healthcare Network
20
20/01/2021
Earlier in January 2021
-
?
Ucar
The vehicle rental company Ucar reveals that it had been the target of ransomware earlier this year.
Malware
H Transportation and storage
CC
FR
Ucar, ransomware
21
20/01/2021
During the Holiday season
-
?
Butler County Sheriff's Office
The Butler County Sheriff's Office reveals to have been hit by a malware attack during the holiday season.
Malware
O Public administration and defence, compulsory social security
CC
US
Butler County Sheriff, ransomware
22
21/01/2021
Since August 2020
-
?
Multiple targets
Researchers from Check Point and Otorio reveal the details of a massive phishing campaign targeting thousands of organizations worldwide. However the attackers forget to protect their loot and let Google share the stolen passwords for public searches.
Account Takeover
Y Multiple Industries
CC
>1
Check Point, Otorio, Google
23
21/01/2021
Since October 2020
-
?
QNAP devices
QNAP urges customers to secure their network-attached storage (NAS) devices against Dovecat, an ongoing malware campaign that infects and exploits them to mine bitcoin.
Misconfiguration (weak password)
Y Multiple Industries
CC
>1
QNAP, Dovecat
24
21/01/2021
-
-
?
Android users
A new malware spreads through Whatsapp auto-replies to any messaging conversations using a malicious link that leads to a fake Huawei app.
Malware
X Individual
CC
>1
Android, Whatsapp, Huawei
25
21/01/2021
-
-
?
Goods and Services Tax Network (GSTN)
The Goods and Services Tax Network (GSTN) announces a possible cyber attack with a cryptic tweet.
Unknown
O Public administration and defence, compulsory social security
CC
IN
Goods and Services Tax Network, GSTN
26
22/01/2021
-
20/1/2021
ShinyHunters
Bonobos
Bonobos men's clothing store suffers a massive data breach exposing millions of customers' personal information after a 70GB cloud backup of their database is downloaded and shared.
Cloud misconfiguration
G Wholesale and retail trade
CC
US
Bonobos, ShinyHunters
27
22/01/2021
-
-
?
Sonicwall
Security hardware manufacturer SonicWall issues an urgent security notice about threat actors exploiting a zero-day vulnerability in their VPN products to perform attacks on their internal systems.
0-Day vulnerability
C Manufacturing
CC
US
SonicWall
28
22/01/2021
-
-
?
UK Students
Some of the laptops given out in England to support vulnerable children home-schooling during lockdown contain the Gamarue malware
Malware
P Education
CC
UK
Gamarue
29
22/01/2021
-
14/1/2021
?
MyFreeCams
A hacker is selling a database with login details for two million high-paying users of the MyFreeCams adult video streaming and chat service.
SQLi
R Arts entertainment and recreation
CC
US
MyFreeCams
30
22/01/2021
4/1/2021
6/1/2021
?
USCellular
Mobile network operator USCellular suffers a data breach after hackers gained access to its CRM and viewed customers' accounts.
Malware
J Information and communication
CC
US
USCellular
31
22/01/2021
Since early 2019
-
?
Enterprise-level apps running on Linux systems
Researchers from Zscaler reveal the details of the DreamBus botnet, a Linux-based malware family targeting a wide collection of apps, such as PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service.
The7stars, an important London ad agency falls victim of a Clop ransomware attack.
Malware
M Professional scientific and technical activities
CC
UK
The7stars, Clop, ransomware
33
22/01/2021
21/1/2021
21/1/2021
?
Department of Vienne
The Department of Vienne is hit with a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
FR
Department of Vienne, ransomware
34
23/01/2021
15/1/2021
-
?
Australian Securities and Investments Commission (ASIC)
The Australian Securities and Investments Commission (ASIC) reveals that one of its servers has been accessed by an unknown threat actor exploiting a vulnerability in the Accellion file transfer platform.
Vulnerability
O Public administration and defence, compulsory social security
CC
AU
Australian Securities and Investments Commission, ASIC), Accellion
35
23/01/2021
Between 16/01/2021 and 17/01/2021
-
?
City of Montmagne
The city of Montmagne is hit with a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
CA
City of Montmagne, ransomware
36
24/01/2021
-
-
Avaddon
Undisclosed target
An undisclosed victim of the Avaddon ransomware gang suffers a DDoS attack after refusing to pay.
>1 (Malware, DDoS)
Z Unknown
CC
N/A
Avaddon
37
24/01/2021
-
23/1/2021
ShinyHunters
Buyucoin
ShinyHunters leaks the stolen database for Indian cryptocurrency exchange Buyucoin on a hacking forum for free.
Unknown
V Fintech
CC
IN
ShinyHunters, Buyucoin
38
24/01/2021
-
-
ShinyHunters
MeetMindful
ShinyHunters leaks the details of more than 2.28 million users registered on MeetMindful.com.
Cloud misconfiguration
S Other service activities
CC
US
ShinyHunters, MeetMindful
39
25/01/2021
Mid-2020
-
ZINC
Security researchers from multiple countries
Researchers from Google (and few days later from Microsoft) reveal the details of a North Korean government-backed hacking group, targeting security researchers who focus on vulnerability and exploit development via social networks, disclosed Google tonight.
Targeted Attack
X Individual
CE
>1
Google, Microsoft, North Korea, ZINC
40
25/01/2021
-
-
?
Palfinger
Austria-based crane manufacturer Palfinger informs customers that its IT infrastructure suffered serious disruptions as a result of an “ongoing global cyber attack.” The company confirms the nature of the attack as ransomware
Malware
C Manufacturing
CC
AU
Palfinger, ransomware
41
25/01/2021
-
23/1/2021
?
WestRock
American packaging giant WestRock informed customers that it was recently targeted in a ransomware attack that impacted both IT and OT systems.
Malware
C Manufacturing
CC
AU
WestRock, ransomware
42
25/01/2021
23/1/2021
23/1/2021
DeroHE
IObit
Over the weekend, the ransomware actors from DeroHE hack again the IObit forums to display a message demanding that IObit pay them $100,000 in DERO or the attacks would continue.
Malware
M Professional scientific and technical activities
CC
US
IObit, DeroHE, ransomware
43
25/01/2021
25/1/2021
25/1/2021
?
Single individuals in the UK
An active phishing campaign pretends to be from the UK's National Health Service (NHS), alerting recipients that they are eligible to receive the COVID-19 vaccine.
Account Takeover
X Individual
CC
UK
National Health Service, NHS, COVID-19, vaccine
44
25/01/2021
23/1/2021
-
?
Georgetown County
Georgetown County says the county’s computer network “suffered a major infrastructure breach over the weekend.” Most of the county’s electronic systems, including emails, are impacted.
Unknown
O Public administration and defence, compulsory social security
CC
US
Georgetown County
45
25/01/2021
Since May 2020
-
?
High-ranking company executives
Researchers from Trend Micro reveal the details of an ongoing phishing campaign delivering fake Office 365 password expiration reports that managed to compromise tens of C-Suite email accounts to date.
Account Takeover
Y Multiple Industries
CC
>1
Trend Micro, Office 365
46
25/01/2021
-
-
?
Android users in Italy
Researchers from AddressIntel discover a new Android malware dubbed Oscorp targeting Italian users.
Malware
X Individual
CC
IT
AddressIntel, Android, Oscorp
47
25/01/2021
25/1/2021
25/1/2021
?
Tennessee Wesleyan University
Tennessee Wesleyan University is hit with a ransomware attack.
Malware
P Education
CC
US
Tennessee Wesleyan University, ransomware
48
26/01/2021
14/1/2021
-
REvil AKA Sodinokibi
Dairy Farm Group
Pan-Asian retail chain operator Dairy Farm Group is attacked by the REvil ransomware operation. The attackers claim to have demanded a $30 million ransom.
Malware
G Wholesale and retail trade
CC
HK
Dairy Farm Group, REvil ransomware, Sodinokibi
49
26/01/2021
-
-
Nemty
Undisclosed target
Researchers from Sophos reveal the details of a Nemty ransomware attack carried out exploiting the ghost account of a deceased administrator.
Malware
Z Unknown
CC
N/A
Sophos, Nemty, ransomware
50
26/01/2021
-
-
?
Unknown target(s)
Apple releases security updates for iOS to patch three zero-day vulnerabilities exploited in the wild.
Researchers from Abnormal Security discover two business email compromise (BEC) attack techniques that exploit a Microsoft 365 “read receipt” message loophole to evade auto-remediation of a malicious email.
Business Email Compromise
Z Unknown
CC
NA
Abnormal Security, Microsoft 365
52
26/01/2021
-
-
?
Undisclosed company
Researchers from Abnormal Security discover two business email compromise (BEC) attack techniques that exploit a Microsoft 365 “out of office” message loophole to evade auto-remediation of a malicious email.
Business Email Compromise
Z Unknown
CC
NA
Abnormal Security, Microsoft 365
53
26/01/2021
Starting from late October 2020
-
?
Single individuals
Researchers from Proofpoint discover a new strain of DanaBot distributed through pirated software keys.
Malware
X Individual
CC
>1
Proofpoint, DanaBot
54
26/01/2021
Starting from December 2020
-
?
Single individuals in the Americas and Europe
Researchers from FireEye discover a phishing campaign spoofing the DHL's delivery service, and using encrypted Telegram channel to exfiltrate data.
Account Takeover
X Individual
CC
>1
FireEye, DHL, Telegram
55
27/01/2021
-
-
TeamTNT
Exposed Linux servers
AT&T Alien Labs security researchers discover a new variant of the Black-T Linux crypto-mining malware using open-source tools to evade detection.
Cloud misconfiguration
Y Multiple Industries
CC
>1
AT&T Alien Labs, Black-T, Linux, TeamTNT
56
27/01/2021
-
-
?
Multiple targets
Researchers from RiskIQ reveal the details of LogoKit, a novel phishing toolkit that changes logos and text on a phishing page in real-time to adapt to targeted victims.
Account Takeover
Y Multiple Industries
CC
>1
RiskIQ, LogoKit
57
27/01/2021
14/12/2021
-
?
The Woodland Trust
The Woodland Trust confirms that it was hit with a cyberattack describing the incident as "sophisticated" and "high level" – and it has taken many services offline.
Unknown
Q Human health and social work activities
CC
UK
The Woodland Trust
58
27/01/2021
27/1/2021
27/1/2021
?
Municipality of Balneário Camboriú
The Municipality of Balneário Camboriú is hit with a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
BR
Municipality of Balneário Camboriú, ransomware
59
27/01/2021
-
-
?
Single individuals in the UK
The National Crime Agency and Financial Conduct Authority warn that the number of "clone firm" scams has significantly increased during the COVID-19 pandemic.
Account Takeover
X Individual
CC
UK
National Crime Agency, NCA, Financial Conduct Authority, COVID-19
60
28/01/2021
-
Early 2020
Volatile Cedar AKA Lebanese Cedar
More than 250 Oracle and Atlassian servers belonging mainly to organizations providing mobile communications and internet-based services.
Researchers from ClearSky Security reveal that Volatile Cedar, an advanced hacker group believed to be connected to the Lebanese Hezbollah Cyber Unit, has been silently attacking companies around the world in espionage operations.
CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152 vulnerabilities
Vulnerable instances of Apache ActiveMQ, Oracle WebLogic, and Redis
Researchers from Palo Alto Networks discover a new campaign by the financially-motivated Rocke group, using a new piece of cryptojacking malware called Pro-Ocean to target vulnerable instances of Apache ActiveMQ, Oracle WebLogic, and Redis.
The UK Research and Innovation (UKRI) is hit with a ransomware incident that encrypted data and impacted two of its services, one offering information to subscribers and the platform for peer review of various parts of the agency.
Malware
O Public administration and defence, compulsory social security
CC
UK
UK Research and Innovation, UKRI, ransomware
63
28/01/2021
-
-
?
Crisp Regional Health Services
Crisp Regional Health Services is the victim of a ransomware attack.
Malware
Q Human health and social work activities
CC
US
Crisp Regional Health Services, ransomware
64
28/01/2021
26/1/2021
26/1/2021
?
Peel District School Board
Peel District School Board is hit with a ransomware attack.
Malware
P Education
CC
US
Peel District School Board, ransomware
65
29/01/2021
Late December 2020
25/1/2021
?
Washington's State Auditor office
Washington's State Auditor Office suffers a data breach that exposes the personal information in 1.6 million employment claims after a threat actor exploited a vulnerability in a secure file transfer service from Accellion.
Vulnerability
O Public administration and defence, compulsory social security
CC
US
Washington's State Auditor Office, Accellion
66
29/01/2021
Early January 2021
-
Trickbot
Legal and insurance verticals in North America
Researchers from Menlo Security discover a new Trickbot campaign targeting legal and insurance verticals in North America.
Malware
K Financial and insurance activities
CC
US
Menlo Security, Trickbot
67
29/01/2021
Early December 2020
Early December 2020
?
Belgian Government
Social media research group Graphika exposes a network of 14 Twitter accounts that engaged in a coordinated campaign to criticize the Belgian government's plan to ban Huawei from supplying 5G equipment to local telecommunications providers.
Fake Websites/Social Network accounts
O Public administration and defence, compulsory social security
CW
BE
Graphika, Twitter, Huawei
68
29/01/2021
-
-
Vovalex
Multiple targets
A new ransomware called Vovalex and written in D, is being distributed through pirated software that impersonates popular Windows utilities, such as CCleaner.
Malware
Y Multiple Industries
CC
>1
Vovalex, Ransomware, D
69
29/01/2021
-
-
?
Multiple targets
Researchers from Abnormal Security discover a phishing campaign impersonating a Small Business Administration (SBA) lender for the Paycheck Protection Program (PPP) loan during the COVID-19 crisis.
Account Takeover
Y Multiple Industries
CC
US
Abnormal Security, Small Business Administration, SBA, Paycheck Protection Program, PPP, COVID-19
70
29/01/2021
24/11/2020
4/12/2020
?
Ramsey County
Ramsey County informs clients of the Family Health Division program that the hackers may have accessed personal data after the ransomware incident that hit Netgain back in December.
Malware
O Public administration and defence, compulsory social security
CC
US
Ramsey County, Family Health Division, Netgain, ransomware
71
29/01/2021
26/1/2021
26/1/2021
Turkish hackers
Miss England
The Instagram account of the Miss England beauty pageant is hijacked by Turkish hackers.
Account Takeover
R Arts entertainment and recreation
CC
UK
Miss England
72
29/01/2021
29/1/2021
29/1/2021
?
Premier Tech
Premier Tech is disrupted by a cyber attack.
Unknown
C Manufacturing
CC
CA
Premier Tech
73
29/01/2021
Between November 2013 and 09/12/2020
9/12/2020
?
Florida Healthy Kids Corporation
Florida Healthy Kids Corporation posted a notice about an incident in their website attributed to Jelly Bean Communications Design
A malicious Home Depot advertising campaign is redirecting Google search visitors to tech support scams.
Malicious Google search ads
X Individual
CC
US
Home Depot
76
30/01/2021
-
-
?
British Mensa
British Mensa, the society for people with high IQs, suffers a hack on its website that results in the theft of members’ personal data.
Unknown
S Other service activities
CC
UK
British Mensa
77
31/01/2021
31/1/2021
31/1/2021
?
Multiple targets
Researchers from NCC Group reveal that the 0-day targeting the Sonicwall devices is currently exploited in the wild.
0-Day vulnerability
Y Multiple Industries
CC
>1
NCC Group, Sonicwall
78
31/01/2021
-
-
Babuk Locker
Serco
Serco, one of the companies involved in the NHS Test and Trace operations, confirms it has been hit by a ransomware attack.
Malware
M Professional scientific and technical activities
CC
UK
Serco, NHS, COVID-19, ransomware, Babuk Locker
79
31/01/2021
-
-
?
Victor Central School District
The Victor Central School District is hit with a malware attack.
Malware
P Education
CC
US
Victor Central School District, ransomware
80
31/01/2021
-
-
?
Raychat
Raychat, a popular Iranian business and social messenger, exposes its entire database (267M+ accounts w/ names, emails, passwords, metadata, encrypted chats etc.), which is then destroyed by a bot attack.
Misconfiguration
S Other service activities
CC
IR
Raychat
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
The “Breachometer” compares the current number of events with the max and min values recorded in the previous 24 timelines (correspondingly to roughly one year)