I can finally publish the second timeline of February, covering the main cyber attacks occurred in the second half of this month (first timeline here). What an incredible second half of February! I have recorded 129 events, the new maximum in the past 12 months, with an average of 9.9 events per day.
Ransomware continues to dominate the threat landscape with 27 out of 129 events (roughly 20), but the real number could be even higher since in most cases organizations don’t provide details on the attack, citing a generic outage. Even in this timeline there are high-profile victims such as a well-known car manufacturer.
Another event that is characterizing this period is the Accellion FTA breach: it looks like threat actors from the FIN11 and Clop (a well-known ransomware group) are extorting organizations after breaching them in December using a 0-day vulnerability. Only in this timeline I have recorded 6 events of this kind but the list is probably going to grow.
And the new year is also bringing some massive breaches: for example a threat actor has dumped a trove of 21 million user records from three well-known Android VPN services.
Welcome to the last cyber attacks timeline of 2022! A timeline that marks a sharp decline in the number of recorded events after four consecutive increases…
This blog post lists the main cloud-native threats, that is those cyber events exploiting the cloud in one or more stage of the kill chain. I have collected…
Similarly to what I have done in 2021, I am collecting all the mega breaches (with more than 1 million records leaked). The information is derived from the cyber attacks timelines…
The first timeline of February is here! I am happy to introduce the “Breachometer”, a counter that measures how the current timeline stacks up with the values recorded in the previous 12 months.
The Cyber Espionage front is equally quite crowded, with multiple threat actors such as the Lazarus Group, Turla and Gamaredon, but what is really interesting, is also the appearance of multiple campaigns tied to Cyber war, carried out via targeted operations (like the Chinese actor RedEcho against some power plants in India), and psyops campaigns on Social Media.
Expand for details
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
1
16/02/2021
–
–
North Korean hackers
Pfizer
North Korean hackers have targeted pharma giant Pfizer in a bid to steal information on its Covid-19 vaccines and treatments.
Targeted Attack
M Professional scientific and technical activities
CE
US
Pfizer, North Korea
2
16/02/2021
14/2/2021
14/2/2021
DoppelPaymer
Kia Motors America
Kia Motors America suffers a ransomware attack by the DoppelPaymer gang, demanding $20 million for a decryptor and not to leak stolen data.
Malware
C Manufacturing
CC
US
Kia Motors America, DoppelPaymer
3
16/02/2021
14/2/2021
14/2/2021
DoppelPaymer
Hyundai Motor America
Hyundai Motor America is also hit by DoppelPaymer
Malware
C Manufacturing
CC
US
Hyundai Motor America, DoppelPaymer
4
16/02/2021
6/2/2021
6/2/2021
Ragnar Locker
Valdès Analysis Laboratory
The Valdès Analysis Laboratory is hit by a Ragnar Locker ransomware attack.
Meddi Laboratório is hit with an Avaddon ransomware attack.
Malware
Q Human health and social work activities
CC
BR
Meddi Laboratório, Avaddon, ransomware
6
16/02/2021
–
–
Conti
Tirrena Scavi S.p.A.
Tirrena Scavi S.p.A. is hit with a Conti ransomware attack.
Malware
M Professional scientific and technical activities
CC
IT
Tirrena Scavi S.p.A., Conti, ransomware
7
16/02/2021
Since 2020
22/6/2020
ScamClub
Single individuals
Researches from Confiant reveal that ScamClub, a cybercrime group specialized in showing malicious ads, has abused CVE-2021–1801, an unpatched zero-day vulnerability in WebKit-based browsers, to break security restrictions and redirect users from legitimate portals to shady sites hosting online gift card scams.
Malvertising
X Individual
CC
>1
Confiant, ScamClub, CVE-2021–1801, WebKit
8
16/02/2021
During 2020
End of November 2020
?
Multiple targets
Researchers from Check Point uncover a new Office malware builder called APOMacroSploit, which was employed in attacks that targeted more than 80 organizations worldwide.
Malware
Y Multiple Industries
CC
>1
Check Point, APOMacroSploit
9
16/02/2021
–
–
?
Indian Railways
Indian Railways reveals it suffered “a number of incidents regarding breaches in various IT applications”.
Unknown
H Transportation and storage
CC
IN
Indian Railways
10
16/02/2021
–
–
China
Single individuals
YouTube takes down almost 3000 channels and accounts deemed to be part of a Chinese state coordinated influence operation.
Fake Websites/Social Network accounts
X Individual
CW
>1
China, Youtube
11
16/02/2021
–
–
Russia
Single individuals
YouTube takes down a few channels and accounts deemed to be part of a Russian state coordinated influence operation.
Fake Websites/Social Network accounts
X Individual
CW
>1
Russia, Youtube
12
16/02/2021
–
–
Morocco
Algeria
Google takes down 5 blogs deemed to be part of a Moroccan state coordinated influence operation against Algeria.
Fake Websites/Social Network accounts
X Individual
CW
DZ
Morocco, Algeria, YouTube
13
16/02/2021
–
–
Ukraine
European Union
YouTube takes down 4 channels and an advertising account deemed to be part of an Ukrainian state coordinated influence operation against the European Union.
Fake Websites/Social Network accounts
X Individual
CW
EU
YouTube, Ukraine, European Union
14
16/02/2021
–
5/2/2021
?
Simon Fraser University
Simon Fraser University warns its school community about a cyberattack that breached a server which stored information on student and employee ID numbers and other data, including admissions or academic standing.
Unknown
P Education
CC
CA
Simon Fraser University
15
16/02/2021
–
–
?
Kayseri OSB
Kayseri OSB is hit by a ransomware attack.
Malware
S Other service activities
CC
TR
Kayseri OSB, ransomware
16
16/02/2021
Since ate December 2020
Since ate December 2020
?
Websites offering instant quotes
The New York State Department of Financial Services reveals that attackers are targeting vulnerabilities in websites offering instant quotes, in an ongoing campaign designed to steal consumers’ information.
Vulnerability
K Financial and insurance activities
CC
US
New York State Department of Financial Services
17
17/02/2021
–
–
Lazarus Group AKA HIDDEN COBRA
Crypto traders in the US
The FBI, CISA, and US Department of Treasury share detailed info on malicious and fake crypto-trading applications used by North Korean-backed state hackers to steal cryptocurrency via the AppleJeus malware.
Malware
V Fintech
CC
US
FBI, CISA, US Department of Treasury, AppleJeus, Lazarus Group, HIDDEN COBRA
18
17/02/2021
Mid-January 2021
–
MassLogger
Users in Turkey, Latvia, and Italy
Researchers from Cisco Talos discover a new campaign carried out via a variant of the MassLogger Trojan, used in attacks designed to steal Microsoft Outlook, Google Chrome, and messenger service account credentials.
Malware
X Individual
CC
>1
Cisco Talos, MassLogger, Microsoft Outlook, Google Chrome
19
17/02/2021
Since January 2019
–
WatchDog
Vulnerable Windows and Linux servers
Researchers from Palo Alto Networks reveal the details of WatchDog, a crypto-mining botnet targeting Linux and Windows servers since two years.
Multiple vulnerabilities
Y Multiple Industries
CC
>1
Palo Alto Networks, WatchDog, Linux, Windows
20
17/02/2021
–
–
Conti
BVA Group
BVA Group is hit with the Conti ransomware.
Malware
M Professional scientific and technical activities
CC
FR
BVA Group, Conti, ransomware.
21
17/02/2021
–
–
?
CityBee
Police in Lithuania are investigating after the personal data of 110,000 customer of the CityBee car sharing service is leaked.
Unknown
H Transportation and storage
CC
LT
CityBee
22
17/02/2021
–
–
?
Linkedin users
A new variant on a typical cred-stealer presents itself up as a new, secure messaging format used over the career website LinkedIn.
Account Takeover
X Individual
CC
>1
LinkedIn
23
17/02/2021
–
–
Sodinokibi AKA REvil
Southern Arkansas University
The Southern Arkansas University is hit with a Sodinokibi ransomware attack.
The University of Amsterdam is hit with a cyber attack.
Unknown
P Education
CC
NL
University of Amsterdam
25
17/02/2021
4/2/2021
4/2/2021
?
Regional Independent School District 2142
Regional Independent School District 2142 falls victim of a phishing attack.
Account Takeover
P Education
CC
US
Regional Independent School District 2142
26
17/02/2021
–
–
?
Hellenic Defense Systems
Hellenic Defense Systems is hit with a ransomware attack.
Malware
C Manufacturing
CC
US
Hellenic Defense Systems, ransomware
27
17/02/2021
During January 2021
–
?
University of Alabama – Huntsville (UAH)
Multiple UAH email accounts were compromised through a phishing attempt in January.
Account Takeover
P Education
CC
US
University of Alabama – Huntsville, UAH
28
17/02/2021
During September 2020
–
?
Watermark Retirement Communities
Watermark Retirement Communities announces to have suffered a “cyber intrusion” in September 2020.
Unknown
Q Human health and social work activities
CC
US
Watermark Retirement Communities
29
18/02/2021
During January 2021
–
Clop
Jones Day
Hackers from Clop upload gigabytes of highly sensitive data stolen from international law firm Jones Day exploiting the FTA Accellion vulnerability.
Vulnerability
M Professional scientific and technical activities
CC
US
Clop, Jones Day, FTA Accellion
30
18/02/2021
–
–
?
Grand River Medical Group
34,000 patients of Grand River Medical Group are affected by a potential data breach after an employee’s email is compromised.
Account Takeover
Q Human health and social work activities
CC
US
Grand River Medical Group
31
18/02/2021
–
–
?
E-commerce sites
Researchers from Sansec reveal that hackers are abusing Google Apps Script to steal credit cards to bypass Content Security Policy (CSP) controls.
Malicious Script Injection
G Wholesale and retail trade
CC
>1
Sansec, Google Apps Script, Content Security Policy, CSP
32
18/02/2021
3/2/2021
–
Cuba ransomware
Automatic Funds Transfer Services (AFTS)
Automatic Funds Transfer Services (AFTS), a payment processor used by many cities and agencies in Washington and other US, is hit by a Cuba ransomware attack.
Malware
K Financial and insurance activities
CC
US
Automatic Funds Transfer Services, AFTS, Cuba, ransomware
33
18/02/2021
–
–
?
RIPE NCC
RIPE NCC warns members that they suffered a credential stuffing attack attempting to gain access to single sign-on (SSO) accounts.
Credential Stuffing
U Activities of extraterritorial organizations and bodies
CC
N/A
RIPE NCC
34
18/02/2021
–
15/1/2021
?
Undisclosed online storage vendor.
Harvard Eye Associates reveals that its online storage vendor paid a ransom to ransomware attackers to have back their data and the ones of another healthcare provider: Alicia Surgery Center.
Malware
Q Human health and social work activities
CC
US
Harvard Eye Associates, Alicia Surgery Center, ransomware
35
18/02/2021
–
23/1/2021
FIN11 and Clop
Kroger
Supermarket giant Kroger joins the list of the organizations hacked via the Accellion vulnerability.
Vulnerability
G Wholesale and retail trade
CC
US
Kroger, Accellion, FIN11, Clop
36
18/02/2021
18/2/2021
18/2/2021
?
Lakehead University
Canadian undergraduate research university Lakehead is hit with a cyberattack that forces the institution to cut off access to its servers.
Unknown
P Education
CC
CA
Lakehead University
37
18/02/2021
Since August 2020
26/2/2021
Silver Sparrow
Mac users
Researchers from Red Canary, Malwarebytes, and VMware Carbon Black discover a new macOS malware known as Silver Sparrow, silently infecting almost 30,000 Mac devices with malware, and whose purpose is a mystery.
Malware
X Individual
CC
>1
Red Canary, Malwarebytes, VMware Carbon Black, Silver Sparrow, Mac
38
18/02/2021
–
18/2/2021
?
RMIT University
Melbourne’s RMIT University is hit with a phishing attack.
Account Takeover
P Education
CC
AU
RMIT University
39
18/02/2021
18/2/2021
18/2/2021
Myanmar Hackers
Multiple web sites in Myanmar
A group called Myanmar Hackers disrupt multiple government websites including the Central Bank, Myanmar Military’s propaganda page, state-run broadcaster MRTV, the Port Authority, Food and Drug Administration.
DDoS
O Public administration and defence, compulsory social security
H
MM
Myanmar, Myanmar Hackers, Central Bank, Myanmar Military’s propaganda page, MRTV, Port Authority, Food and Drug Administration.
40
18/02/2021
–
–
?
Cryptopia
More than $60,000 worth of cryptocurrency is stolen from international currency exchange Cryptopia, despite the company being in liquidation following a $24 million hack.
Unknown
V Fintech
CC
NZ
Cryptopia
41
18/02/2021
–
–
?
50,000 records of French healthcare professionals
The data of 50,000 healthcare French professionals are on-sale in the underground market.
Unknown
Q Human health and social work activities
CC
FR
French healthcare professionals
42
18/02/2021
Between 07/09/2020 and 24/09/2020
18/12/2020
?
Hackley Community Care
Hackley Community Care notifies around 2,500 patients that their personal and health information was exposed during a phishing attack on employee email accounts.
Account Takeover
Q Human health and social work activities
CC
US
Hackley Community Care
43
18/02/2021
–
–
?
Kettering Health Network
Kettering Health Network warns that scammers have created a fake COVID-19 vaccine scheduling webpage so they can procure patients’ personal and banking information.
Account Takeover
Q Human health and social work activities
CC
US
Kettering Health Network, COVID-19
44
19/02/2021
13/2/2021
–
?
Underwriters Laboratories
UL LLC, better known as Underwriters Laboratories, has suffered a ransomware attack that encrypted its servers and caused them to shut down systems while they recover.
Malware
M Professional scientific and technical activities
CC
US
Underwriters Laboratories, UL LLC, ransomware
45
19/02/2021
–
–
?
Multiple targets
Researchers at GreatHorn discover a new wave of phishing attacks using malformed URLs.
Account Takeover
Y Multiple Industries
CC
>1
GreatHorn
46
19/02/2021
–
–
?
Undisclosed French Adult site
An unknown attacker leaks the data stolen from an undisclosed French Adult site.
Unknown
R Arts entertainment and recreation
CC
FR
French Adult Site
47
19/02/2021
–
–
?
1.4 million French Twitter users
The data of 1.4 million French Twitter users is on sale in the underground market.
Unknown
X Individual
CC
FR
Twitter
48
19/02/2021
–
–
?
Yuba County
Yuba County is hit by a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
US
Yuba County, ransomware
49
19/02/2021
–
–
?
Afnor (Association Française de Normalisation)
Afnor is hit by a Ryuk ransomware attack.
Malware
S Other service activities
CC
FR
Afnor, Ryuk ransomware, Association Française de Normalisation
50
19/02/2021
–
–
?
Bénéteau
Bénéteau is hit by a cyberattack that forces to shut down the network.
Malware
C Manufacturing
CC
FR
Bénéteau, ransomware
51
19/02/2021
Since early 2021
–
Turla (AKA Belugasturgeon, Ouroboros, Snake, Venomous Bear and Waterbug)
Multiple targets
Researchers from Palo Alto reveal that the Russian hacking group Turla is deploying an IronPython-based malware loader called “IronNetInjector” to deliver the ComRAT access tool.
Microsoft reveals that the high-severity Windows zero-day vulnerability CVE-2021-1732 patched during the February 2021 Patch Tuesday was exploited in the wild since at least the summer of 2020 by a group known as Bitter or T-APT-17.
Targeted Attack
Y Multiple Industries
CC
>1
Microsoft, CVE-2021-1732, Bitter, T-APT-17.
53
20/02/2021
19/2/2021
–
?
NurseryCam
NurseryCam, a webcam system that lets parents watch their children while at nursery school has written to families to tell them of a data breach. A attacker is able to obtain the data for 12,000 accounts.
Unknown
N Administrative and support service activities
CC
UK
NurseryCam
54
20/02/2021
–
–
?
Single individuals in Northern Ireland
Royal Mail warns people in Northern Ireland not to fall for parcel scams circulating by text and email.
Account Takeover
X Individual
CC
UK
Royal Mail
55
20/02/2021
14/2/2021
18/2/2021
?
Cashalo
Fintech platform Cashalo is hit with a data breach and the data of 3.3 million users are on sale in the dark web.
Unknown
V Fintech
CC
PH
Cashalo
56
21/02/2021
Since the third week of February
Since the third week of February
?
Single individuals
Threat actors are using Google Alerts to promote a fake Adobe Flash Player updater that installs other unwanted programs on unsuspecting users’ computers.
Malware
X Individual
CC
>1
Google Alerts, Adobe Flash Player
57
21/02/2021
21/2/2021
21/2/2021
?
Saginaw Township Community Schools
Saginaw Township Community Schools experiences IT issues following what is believed to be a ransomware attack.
Malware
P Education
CC
US
Saginaw Township Community Schools
58
21/02/2021
–
–
?
St. Margaret’s Health–Spring Valley
St. Margaret’s Health–Spring Valley shuts down its computer network in response to a cyberattack.
Unknown
Q Human health and social work activities
CC
US
St. Margaret’s Health–Spring Valley
59
22/02/2021
Since 18/02/2021
–
Egregor?
Ukrainian government websites
The National Security and Defense Council (NSDC) of Ukraine accuses threat actors located on Russia networks of performing DDoS attacks on Ukrainian government websites.
DDoS
O Public administration and defence, compulsory social security
CC
UA
Egregor, National Security and Defense Council, NSDC
60
22/02/2021
–
–
?
Multiple targets
Researchers from Phenomite reveal that botnet operators are abusing VPN servers from VPN provider Powerhouse Management as a way to bounce and amplify DDoS attacks.
DDoS
Y Multiple Industries
CC
>1
Phenomite, Powerhouse Management
61
22/02/2021
–
–
?
City and municipality of Chalon-sur-Saône
The city and municipality of Chalon-sur-Saône is hit with a ransomware attack.
Malware
O Public administration and defence, compulsory social security
CC
FR
Chalon-sur-Saône, ransomware
62
22/02/2021
During April 2020
7/5/2020
?
Enders Insurance
Enders insurance issues a press release about a phishing attack that occurred last April when an employee’s email account was compromised.
Account Takeover
K Financial and insurance activities
CC
US
Enders Insurance
63
22/02/2021
–
–
?
Charles André Group
The Charles André Group is hit by a cyber attack.
Unknown
H Transportation and storage
CC
FR
Charles André Group
64
22/02/2021
Mid-December 2020
–
?
Victims in UK financial services
Researches from Cofense discover a phishing campaign abusing the Telegram messaging app’s API to create malicious domains that help bypass security tools.
Account Takeover
Z Unknown
CC
UK
Cofense, Telegram
65
22/02/2021
–
–
Clop
American Bureau of Shipping
American Bureau of Shipping (ABS Group) joins the list of the victims of the Accellion vulnerability.
Vulnerability
N Administrative and support service activities
CC
US
American Bureau of Shipping, Clop, Accellion
66
22/02/2021
–
–
Clop
Danaher
Danaher joins the list of the victims of the Accellion vulnerability.
Vulnerability
C Manufacturing
CC
US
Danaher, Clop, Accellion
67
23/02/2021
22/1/2021
22/1/2021
?
TietoEVRY
Finnish IT services giant TietoEVRY suffers a ransomware attack that forces the company to disconnect clients’ services.
Malware
M Professional scientific and technical activities
CC
FI
TietoEVRY, ransomware
68
23/02/2021
Between February 2018 and November 2020
–
?
APT32 AKA Ocean Lotus
Amnesty International reveals that Vietnam-backed hacking group APT32 has coordinated several spyware attacks targeting Vietnamese human rights defenders (HRDs) between February 2018 and November 2020.
Targeted Attack
X Individual
CE
VN
Amnesty International, APT32, Ocean Lotus
69
23/02/2021
–
–
Clop
Bombardier
Business jet maker Bombardier is the latest company to suffer a data breach by the Clop gang after attackers exploited the Accellion zero-day vulnerability to steal company data.
Vulnerability
C Manufacturing
CC
CA
Bombardier, Clop, Accellion
70
23/02/2021
–
–
FIN11 and Clop
Transport for New South Wales (TfNSW)
Transport for New South Wales (TfNSW) confirms being impacted by a cyber attack on the Accellion file transfer system.
Vulnerability
O Public administration and defence, compulsory social security
CC
AU
Transport for New South Wales, TfNSW, Accellion, FIN11, Clop
71
23/02/2021
–
–
FIN11 and Clop
NSW Health
NSW health also confirms being impacted by a cyber attack on the Accellion file transfer system.
Vulnerability
Q Human health and social work activities
CC
AU
NSW Health, Accellion, FIN11, Clop
72
23/02/2021
–
–
?
Vulnerable servers
Researchers from Akamai discover a crypto mining botnet abusing Bitcoin blockchains as a backup Command and Control.
CVE-2015-1427 and CVE-2019-9082 vulnerabilities
Y Multiple Industries
CC
>1
Akamai, Bitcoin, CVE-2015-1427, CVE-2019-9082
73
23/02/2021
Since 2019
–
Gamaredon
Several government entities in Ukraine
Researchers from Cisco Talos reveal the details of the latest Gamaredon targeting several government entities in Ukraine.
Targeted Attack
O Public administration and defence, compulsory social security
CE
UA
Cisco Talos, Gamaredon
74
23/02/2021
End of 2020
–
Iran
US Twitter users
Twitter announces that it suspended 130 accounts that were found to be part of a network involved in disinformation activities associated with Iran aimed to disrupt the public conversation during the 2020 US Presidential Debate.
Fake Websites/Social Network accounts
O Public administration and defence, compulsory social security
CW
US
Iran, Twitter
75
23/02/2021
End of 2020
–
Armenia
Twitter users in Azerbaijan
Twitter announces that it suspended 108 accounts that were found to be part of a network involved in disinformation activities associated with Armenia aimed to disrupt the public conversation in Azerbaijan
Fake Websites/Social Network accounts
O Public administration and defence, compulsory social security
CW
AZ
Armenia, Twitter, Azerbaijan
76
23/02/2021
End of 2020
–
Russia
Twitter users
Twitter announces that it suspended 69 accounts that were found to be part of a network involved in disinformation activities associated with Russia aimed to amplify narratives aligned with the interests of the Russian government.
Fake Websites/Social Network accounts
O Public administration and defence, compulsory social security
CW
>1
Twitter, Russia
77
23/02/2021
End of 2020
–
Russia
Twitter users
Twitter announces that it suspended 31 accounts that were found to be part of a network, affiliated with the Internet Research Agency (IRA) and with Russian government-linked actors, involved in disinformation activities associated with Russia aimed to amplify narratives aligned with the interests of the Russian government.
Fake Websites/Social Network accounts
O Public administration and defence, compulsory social security
CW
>1
Twitter, Russia, Internet Research Agency, IRA
78
23/02/2021
Mid-February 2021
Mid-February 2021
?
Undisclosed target
Researchers from Armorblox detect a phishing campaign impersonating FedEx targeting a large organization.
Account Takeover
Z Unknown
CC
N/A
Armorblox, FedEx
79
23/02/2021
Mid-February 2021
Mid-February 2021
?
Undisclosed target
Researchers from Armorblox detect a phishing campaign impersonating DHL targeting a large organization.
Account Takeover
Z Unknown
CC
N/A
Armorblox, DHL
80
23/02/2021
–
–
?
Ben Franklin High School
A virtual trip of students at the Ben Franklin High School is hacked.
Zoom bombing
P Education
CC
US
Ben Franklin High School
81
23/02/2021
18/2/2021
18/2/2021
?
Angolan Ministry of Finance
The Angolan Ministry of Finance suffers a cyber attack.
Unknown
O Public administration and defence, compulsory social security
CC
AO
Angolan Ministry of Finance
82
23/02/2021
10/2/2021
–
DoppelPaymer
Cuyahoga Metropolitan Housing Authority (CMHA)
The Cuyahoga Metropolitan Housing Authority is hit by a DoppelPaymer ransomware attack.
Malware
O Public administration and defence, compulsory social security
Jacobson Memorial Hospital & Care Center discloses a phishing attack occurred on July 2020.
Account Takeover
Q Human health and social work activities
CC
US
Jacobson Memorial Hospital & Care Center
84
23/02/2021
10/9/2020
14/9/2020
?
University Hospital
University Hospital in Newark, N.J., notifies consumers that an unauthorized individual gained access to the hospital’s computer systems, in a notice published Feb. 23.
Unknown
Q Human health and social work activities
CC
US
University Hospital
85
23/02/2021
Since 2021
–
TA505
Security researchers
Researchers from Zscaler discover a new instance of the MINEBRIDGE remote-access Trojan, targeting security researchers by using a malicious payload disguised in an attached document, according to the security firm Zscaler.
Malware
X Individual
CC
>1
Zscaler, MINEBRIDGE
86
24/02/2021
Since 2018
–
LazyScripter
Individuals seeking immigration to Canada for a job, airlines, and the International Air Transport Association (IATA).
Security researchers from Malwarebytes uncovered activity belonging to a previously unidentified actor dubbed LazyScripter, active since 2018, using phishing to target individuals seeking immigration to Canada for a job, airlines, and the International Air Transport Association (IATA).
Targeted Attack
H Transportation and storage
CE
>1
Malwarebytes, LazyScripter
87
24/02/2021
–
–
Egregor?
State agencies in Ukraine
The National Security and Defense Council of Ukraine (NSDC) links Russian-backed hackers to attempts to breach state agencies after compromising the System of Electronic Interaction of Executive Bodies (SEI EB) used by most public authorities to share documents.
Vulnerability
O Public administration and defence, compulsory social security
CC
UA
Egregor, National Security and Defense Council, NSDC
88
24/02/2021
24/2/2021
24/2/2021
Multiple threat actors
Vulnerable Internet-exposed VMware servers
After security researchers have developed and published proof-of-concept (PoC) exploit code targeting a critical vCenter remote code execution (RCE) vulnerability, attackers are now actively scanning for vulnerable Internet-exposed VMware servers.
CVE-2021-21972 Vulnerability
Y Multiple Industries
CC
>1
CVE-2021-21972, VMware
89
24/02/2021
–
–
Clop
organizations using the Accellion File Transfer Appliance (FTA)
Four members of Five Eyes, in collaboration with Singapore, issue a joint security advisory about ongoing attacks and extortion attempts targeting organizations using the Accellion File Transfer Appliance (FTA).
Vulnerability
Y Multiple Industries
CC
>1
Clop, Accellion File Transfer Appliance, FTA
90
24/02/2021
Between 2019 2020
During 2020
Stibnite
Wind turbine companies that generate electric power in Azerbaijan
Researchers from Dragos reveal the details of Stibnite, a cyber criminal group focused on wind turbine companies that generate electric power in Azerbaijan.
Targeted Attack
D Electricity gas steam and air conditioning supply
CW
AZ
Dragos, Stibnite
91
24/02/2021
Between 2019 2020
During 2020
Talonite
Electricity providers in the US
Researchers from Dragos reveal the details of Talonite, a cyber criminal group focused on electricity providers in the US.
Targeted Attack
D Electricity gas steam and air conditioning supply
CE
US
Dragos, Talonite
92
24/02/2021
Between 2019 2020
During 2020
Kamacite
Energy companies across North America and Europe
Researchers from Dragos reveal the details of Kamacite, a cyber criminal group, associated with Sandworm, focused on energy companies across North America and Europe.
Targeted Attack
D Electricity gas steam and air conditioning supply
CE
>1
Dragos, Kamacite, Sandworm
93
24/02/2021
Between 2019 2020
During 2020
Vanadinite
Energy, manufacturing and transport across North America, Europe, Australia and Asia
Researchers from Dragos reveal the details of Vanadinite, a cyber criminal group, focused on energy, manufacturing and transport across North America, Europe, Australia and Asia
Targeted Attack
C Manufacturing
CE
>1
Dragos, Vanadinite
94
24/02/2021
–
–
?
Multiple targets
Researchers from ThreatLocker observe a spike of malicious campaigns targeting QuickBooks databases.
Malware
K Financial and insurance activities
CC
>1
ThreatLocker, Quickbooks
95
24/02/2021
4/5/2020
–
?
Covenant HealthCare
Covenant HealthCare notifies 45,000 patients and employees about a data breach that occurred last May 4 when threat actor(s) accessed two employee email accounts.
Account Takeover
Q Human health and social work activities
CC
US
Covenant HealthCare
96
24/02/2021
Between August 2020 and October 2020
–
?
Fisher-Titus Medical Center
The personal information of patients at Fisher-Titus Medical Center was compromised after an unknown person gained access to an employee’s email account.
Account Takeover
Q Human health and social work activities
CC
US
Fisher-Titus Medical Center
97
24/02/2021
24/2/2021
24/2/2021
?
Kentucky Office of Unemployment Insurance
The Kentucky Office of Unemployment Insurance suffers a DDoS attack.
DDoS
O Public administration and defence, compulsory social security
CC
US
Kentucky Office of Unemployment Insurance
98
24/02/2021
–
–
?
Stadgenoot
The website of the Amsterdam housing association Stadgenoot is hacked. Data of 30,000 people is stolen.
Unknown
S Other service activities
CC
NL
Stadgenoot
99
24/02/2021
21/2/2021
21/2/2021
?
Manutan Group
The Manutan Group is hit with a ransomware attack.
Malware
N Administrative and support service activities
CC
FR
Manutan Group, ransomware
100
24/02/2021
–
–
?
Elara Caring
Elara Caring notifies more than 100,000 patients after corporate email accounts hacked.
Account Takeover
Q Human health and social work activities
CC
US
Elara Caring
101
24/02/2021
2/2/2021
2/2/2021
?
Cobb County School District
The Cobb County School District investigates a malfunction of its emergency alert system, saying it was a “targeted, external attack” that placed all 112 of its schools on lockdown.
Misconfiguration
P Education
CC
US
Cobb County School District
102
25/02/2021
Since 2020
–
Lazarus Group AKA HIDDEN COBRA
Defense industry
Kaspersky researchers identify a previously unknown campaign from Lazarus. Since early 2020, the group has been targeting the defense industry with a custom backdoor dubbed ThreatNeedle.
Targeted Attack
C Manufacturing
CE
>1
Lazarus Group, HIDDEN COBRA, Kaspersky
103
25/02/2021
Since January 2020
During March 2020
TA413
Several Tibetan organizations
Researchers from Malwarebytes reveal that several Tibetan organizations were targeted in a cyber-espionage campaign by a state-backed hacking group using a malicious Firefox extension designed to hijack Gmail accounts and infect victims with malware.
Targeted Attack
O Public administration and defence, compulsory social security
CE
–
TA413, Malwarebytes, Gmail
104
25/02/2021
–
13-14/02/2021
?
Oxford University
The Oxford University confirms that it had detected and isolated an incident at the Division of Structural Biology (known as “Strubi”).
Unknown
P Education
CC
UK
The Oxford University, Division of Structural Biology, Strubi
105
25/02/2021
–
–
?
Dun & Bradstreet Malaysia
Undisclosed attackers leak some data allegedly stolen from Dun & Bradstreet Malaysia.
Unknown
M Professional scientific and technical activities
CC
MY
Dun & Bradstreet Malaysia
106
25/02/2021
20-21/02/2021
20-21/02/2021
?
Sequoia Capital
American VC firm Sequoia Capital has disclosed a data breach following what looks like a failed business email compromise (BEC) attack from January.
Business Email Compromise
K Financial and insurance activities
CC
US
Sequoia Capital
107
25/02/2021
–
–
DoppelPaymer
Morgan County
Morgan County has some data leaked by the DoppelPaymer ransomware gang.
Malware
O Public administration and defence, compulsory social security
CC
US
DoppelPaymer, Morgan County, Ransomware
108
25/02/2021
–
1/6/2020
?
Cornerstone Care
Cornerstone Care discloses a phishing attack occurred on June 2020.
Account Takeover
Q Human health and social work activities
CC
US
Cornerstone Care
109
25/02/2021
During 2017
During November 2020
?
Family Medical Center
Family Medical Center, part of Gore Medical Management notifies patients that their personal information may have been exposed through a hacking incident in 2017.
Unknown
Q Human health and social work activities
CC
US
Family Medical Center, Gore Medical Management
110
25/02/2021
–
–
?
Volunteers of America Chesapeake & Carolinas (VOACC)
Volunteers of America Chesapeake & Carolinas (VOACC) notifies individuals of a phishing incident.
Account Takeover
Q Human health and social work activities
CC
US
Volunteers of America Chesapeake & Carolinas, VOACC
111
25/02/2021
–
–
?
JFC International (Europe)
JFC International (Europe) is subject to a ransomware attack
Malware
I Accommodation and food service activities
CC
DE
JFC International, ransomware
112
25/02/2021
–
–
Clop
Trillium Community Health Plan
Trillium Community Health Plan joins the list of the Accellium vulnerabiliy victims.
Vulnerability
Q Human health and social work activities
CC
US
Trillium Community Health Plan, Clop, Accellion
113
25/02/2021
25/02/2021
25/02/2021
?
Affton School District
Affton School District suffers a ransomware attack.
Malware
P Education
CC
US
Affton School District, ransomware
114
26/02/2021
–
–
?
SuperVPN
The data of 21 million users from 3 popular Android VPNs are leaked on a forum.
Misconfiguration
M Professional scientific and technical activities
CC
PK
SuperVPN
115
26/02/2021
–
–
?
GeckoVPN
The data of 21 million users from 3 popular Android VPNs are leaked on a forum.
Misconfiguration
M Professional scientific and technical activities
CC
N/A
GeckoVPN
116
26/02/2021
–
–
?
ChatVPN
The data of 21 million users from 3 popular Android VPNs are leaked on a forum.
Misconfiguration
M Professional scientific and technical activities
CC
N/A
ChatVPN
117
26/02/2021
Since early 2021
–
Ryuk
Multiple targets
The French ANSSI (short for Agence Nationale de la Sécurité des Systèmes d’Information) discovers a new Ryuk variant with self-spread capabilities.
Malware
Y Multiple Industries
CC
>1
ANSSI, Agence Nationale de la Sécurité des Systèmes d’Information, Ryuk, ransomware
118
26/02/2021
–
–
Hotarus Corp
Ecuador’s Ministry of Finance
A ransomware gang called Hotarus Corp hits the Ecuador’s Ministry of Finance.
Malware
O Public administration and defence, compulsory social security
CC
EC
ransomware, Hotarus Corp, Ecuador’s Ministry of Finance
119
26/02/2021
–
–
Hotarus Corp
Banco Pichincha
Hotarus Corp also hits the Ecuador’s largest bank Pichincha.
Malware
K Financial and insurance activities
CC
EC
ransomware, Hotarus Corp, Banco Pichincha
120
26/02/2021
–
–
?
T-Mobile
T-Mobile discloses a data breach after an unknown number of customers were apparently affected by SIM swap attacks.
SIM swap
J Information and communication
CC
US
T-Mobile
121
26/02/2021
–
–
?
Npower
British energy provider Npower suffers a credential stuffing attack, forcing the company to shut down its mobile app.
Credential Stuffing
D Electricity gas steam and air conditioning supply
CC
UK
Npower
122
26/02/2021
Fourth week of February
Fourth week of February
?
Twitter users
Cryptocurrency scammers continue to promote fake giveaways through hacked verified Twitter accounts.
Account Takeover
X Individual
CC
>1
Twitter, Crypto
123
26/02/2021
During December 2020
–
?
Le Service Postal
An attacker reveals to have stolen 150,000 records from “Le Service Postal”
Unknown
N Administrative and support service activities
CC
FR
Le Service Postal
124
26/02/2021
–
–
?
Turnover-it
190,000 records from the recruitment portal Turnover-it are leaked in the Internet
Unknown
N Administrative and support service activities
CC
FR
Turnover-it
125
26/02/2021
–
During May 2020
?
Summit Behavioral Healthcare
Summit Behavioral Healthcare discloses a phishing attack occurred in May 2020.
Account Takeover
Q Human health and social work activities
CC
US
Summit Behavioral Healthcare
126
26/02/2021
12/02/2021
12/2/2021
DoppelPaymer
Florida Studio Theatre
Florida Studio Theatre is hit with a DoppelPaymer ransomware attack.
Malware
R Arts entertainment and recreation
CC
US
Florida Studio Theatre, DoppelPaymer, ransomware
127
26/02/2021
Between 10/11/2020 and 31/12/2020
28/12/2020
?
The Home for the Little Wanderers
The Home for the Little Wanderers discloses a phishing incident.
Account Takeover
Q Human health and social work activities
CC
US
The Home for the Little Wanderers
128
26/02/2021
23/02/2021
–
?
Staring College
Staring College pays a ransom to cyber criminals after being hit by a ransomware attack.
Malware
P Education
CC
NL
Staring College, ransomware
129
26/02/2021
Since early 2021
–
?
European users
Researchers from GreatHorn discover a new phishing campaign impersonating Zoom in order to steal users’ Outlook credentials.
Account Takeover
X Individual
CC
EU
GreatHorn, Zoom, Outlook
130
26/02/2021
Between 07/01/2021 and 25/01/2021
25/01/2021
Clop
Arizona Complete Health
Arizona Complete Health joins the list of the victims of the cyber attacks carried out exploiting the Accellion vulnerability.
Vulnerability
Q Human health and social work activities
CC
US
Arizona Complete Health, Clop, Accellion
131
26/02/2021
–
–
?
Altona Clinic
Altona Clinic is hit with a ransomware attack.
Malware
Q Human health and social work activities
CC
US
Altona Clinic, ransomware
132
27/02/2021
27/02/2021
27/02/2021
?
Furucombo
Furucombo, a tool designed to help users to interact with multiple decentralized finance (DeFi) protocols suffers a 14M$ hack.
Evil Contract
V Fintech
CC
N/A
Furuocombo
133
27/02/2021
–
Last week of February
?
Zee5
Zee5, an Indian OTT platform with over 150 million users has a part of its userbase’s data (9 million records) leaked (again.)
Unknown
J Information and communication
CC
IN
Zee5
134
27/02/2021
14/11/2020
14/11/2020
?
AllyAlign Health
AllyAlign Health disccloses a ransomware attack occurred November 14, 2020.
Malware
Q Human health and social work activities
CC
US
AllyAlign Health
135
28/02/2021
Since mid-2020
–
RedEcho
10 distinct Indian power sector organizations
Researchers from Recorded Future reveal to have observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups via the ShadowPad backdoor.
Targeted Attack
D Electricity gas steam and air conditioning supply
CW
IN
Recorded Future, RedEcho, ShadowPad
136
28/02/2021
–
–
JAx
Gab
An hacktivist claims to have hacked the Far-Right Platform Gab and leaks a collection of more than 70 gigabytes of data representing more than 40 million posts.
SQLi
S Other service activities
H
US
JaXpArO and My Little Anonymous Revival Project, Gab
137
28/02/2021
–
–
?
Groupe Lactalis
The Groupe Lactalis (Lactalis Group) suffers a cyber intrusion.
Unknown
I Accommodation and food service activities
CC
FR
Groupe Lactalis
138
28/02/2021
–
–
?
Single individuals
An AOL mail phishing campaign is underway to steal users’ login name and password by warning recipients that their account is about to be closed.
Account Takeover
X Individual
CC
US
AOL
139
28/02/2021
26/02/2021
26/02/2021
?
City of Kingman
The City of Kingman is hit with a cyber attack.
Unknown
O Public administration and defence, compulsory social security
CC
US
City of Kingman
ID
Date Reported
Date Occurred
Date Discovered
Author
Target
Description
Attack
Target Class
Attack Class
Country
Link
Tags
Enjoy the interactive timeline, and thanks for sharing it, and supporting my work in spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin, for the latest updates.
Breachometer
The “Breachometer” compares the current number of events/day with the max and min values recorded in the previous 12 months.
It’s time to publish the statistics derived from the cyber attacks timelines of August (Part I and Part II), a month particularly active from an Information Security perspective, despite the Summer time. As always, let’s start from the Daily Trend Chart, which shows obviously an …
In the first timeline of August, I collected 169 events (corresponding to 11.27 events per day), a considerable decrease compared to the the second half of July…
I have aggregated the statistics created from the cyber attacks timelines published in the second quarter of 2023. In total I have collected 1040 events…
Welcome to the last cyber attacks timeline of 2022! A timeline that marks a sharp decline in the number of recorded events after four consecutive increases…
This blog post lists the main cloud-native threats, that is those cyber events exploiting the cloud in one or more stage of the kill chain. I have collected…
Similarly to what I have done in 2021, I am collecting all the mega breaches (with more than 1 million records leaked). The information is derived from the cyber attacks timelines…
It’s time to publish the cyber attacks statistics derived from the corresponding timelines that I have recently posted. In January I have collected 160 events…