Site Search


You Searched for: Country = , Industry =

Incident: Plasma Donation Company Octapharma Shuts Down 180 Centers Worldwide

The disruption has impacted more than 150 plasma centers in the US, with possible effects on European factory operations.

The BlackSuit ransomware gang took credit for the attack on Wednesday, claiming to have exfiltrated business and laboratory data as well as the information of both living and deceased donors.

Reference: Ransomware feared as IT ‘issues’ force Octapharma Plasma to close 150+ centers
Victim: Octapharma

Octapharma is based in Switzerland, the company is one of the largest privately-owned, independent plasma companies in the world, using plasma donations to develop and manufacture medicines. It says it has more than 180 donation centers worldwide.

Victim: Octapharma Group

Octapharma US company employs about 3500 people and operates a little over 150 blood plasma donation centers across America.

Octapharma Group, the parent company based in Germany reported revenue of €3.26 billion for 2023, from operations across 118 countries.

Reference: Ransomware feared in Octapharma Plasma’s US-wide shutdown
Reference: Plasma donation company Octapharma slowly reopening as BlackSuit gang claims attack
Incident: Network Shutdown after Ransomware Attack at Synlab Italy

Synlab Italia has suspended all its medical diagnostic and testing services after a ransomware attack forced its IT systems to be taken offline. Although the company has not confirmed, some sensitive medical data may have been exposed to the attackers. As a result of this incident, all laboratory analysis and sample collection services have been suspended until further notice. Customers are advised to use phone to contact Synlab because email communication services are inactive.

No major ransomware gangs has claimed responsibility for the cyberattack on Synlab Italia.

Victim: Synlab Italia

Part of the Synlab group that is present in 30 countries worldwide, the Synlab Italia network operates 380 labs and medical centers across Italy. It has an annual turnover of $426 million and carries out 35 million analyses every year.

Reference: Synlab Italia suspends operations following ransomware attack
Reference: Japan’s space agency reports cyberattacks, possible data leak [Jun24]
Incident: Sandhar Automotive Component Manufacturer Disclosed Cyber Incident

Sandhar Technologies faced a minor setback in its stock performance after disclosing a cyber-incident impacting certain systems. However, the company promptly reacted by mobilizing its technical and cybersecurity teams to address the threat. It assured stakeholders that no confidential data breach occurred and that the incident had minimal impact on its operations.

Victim: Sandhar Technologies Limited

Sandhar Technologies Limited or Sandhar Group or Sandhar is an Indian multinational and a global manufacturer of automotive components primarily catering to automotive OEMs. The company is largely focused on safety and security systems of vehicles with a pan India presence and a growing international footprint.

Reference: Sandhar Technologies shares drop after company reports cyber-incident
Reference: Sandhar Technologies Faces Cyber Incident
Incident: Entire Kadokawa Corporation Disrupted as Result of Ransomware Attack

On June 8, Kadokawa Group subsidiary Niconico suffered a significant ransomware attack that initially compromised its video portal, before affecting the wider Kadokawa Group corporate conglomerate. This incident has had a ripple effect across the conglomerate, impacting online merchandise orders for stores under the Kadokawa group, as some systems are currently unable to process and ship orders as well as infrastructure related to company-run websites.

At one point the perpetrator remotely restarted servers to continue the attack and spread ransomware, forcing staff to physically disconnect power and communications cables from affected servers in order to halt the attack.

The attack halted the flow of orders but also reduced production output and caused delays in physical distribution. The impact is evident in the sudden drop in publication releases as well as the halt in payments to partners.

The further shut down of support systems for domestic editing and production of both print and digital publications has compounded the impact of the incident.

Reference: Kadokawa Group’s Niconico targeted in ransomware attack, affecting wider operations
Victim: Kadokawa Corporation

Kadokawa Corporation operates as a publishing company. The Company provides books publication, magazines publication, and other services. Kadokawa also operates video making, network entertainment designing, and other businesses.

Incident: Panasonic Australia confirms Ransomware Incident

The Akira ransomware gang listed camera and consumer tech giant Panasonic Australia on its darknet leak site overnight, and while the company has confirmed the incident, it has said that no business or customer has been compromised.

Reference: Panasonic Australia confirms cyber incident following Akira ransomware claim
Reference: Senators seek answers from AT&T in massive hacking of US customer call data
Incident: Cyberattack Hits One Of Iceland’s Largest Media Outlets

One of Iceland’s largest media outlets and radio station K100 were both down for around three hours yesterday due to a cyberattack on their publisher, Árvakur.

The attack was carried out by a Russian group named Akira, the publisher has confirmed. The attackers seized and encrypted all of the company’s data,leading them to shut down their computer system as they responded.

Both and K100 are currently functioning. It is not clear whether Árvakur has recovered all of the data that were seized or whether it will be able to recover them completely.

Reference: Media Company Árvakur Hit By Russian Cyber Attack
Victim: Árvakur

Árvakur hf is a publishing company formed in 1919 to run Morgunblaðið. Árvakur also operates Landsprent hf, Iceland's largest newspaper printing press. In addition to printing Morgunblaðið, it also prints numerous weekly papers and periodicals for various publishers. Arvakur also operates one of Iceland’s largest media outlets and radio station K100

Reference: Cyberattack on Morgunblaðið Newspaper’s Publisher
Incident: Nearly All AT&T Customers Exposed in Massive 2022 Data Breach

July 15, 2024: AT&T says calls and text message records for about 109 million of the phone service provider's customers were exposed in a massive data breach two years ago. Nearly all of AT&T's mobile phone customers' information was exposed over the course of months in 2022.

The company said that in April hackers exfiltrated records of customer call and text interactions from May 1, 2022, to October 31, 2022, as well as on January 2, 2023. The data originated from AT&T’s ‘workspace’ on a third-party cloud platform.

AT&T said it learned about an "illegal download" of data from a third-party cloud platform called Snowflake in April.

The hacker reportedly demanded a $1 million ransom from AT&T, but he ultimately settled for far less. The hacker provided AT&T with a video showing that he had deleted the stolen data

Reference: AT&T Breach Linked to American Hacker, Telecom Giant Paid $370k Ransom: Reports
Incident: AT&T Data Breach Exposes >70 Million Accounts

In March 2024, AT&T said it was investigating a possible data breach after personal data from more than 70 million current and former customers was discovered on the dark web.

Based on a preliminary analysis, the company said the data set appeared to be from 2019 or earlier and impacts approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.

Reference: AT&T Addresses Recent Data Set Released on the Dark Web
Reference: AT&T Investigating Potential Data Breach Impacting More Than 70M Past And Current Customers
Reference: Major Cyberattacks And Data Breaches In 2024
Victim: AT&T

AT&T is the world's largest telecommunications company (2019). AT&T is also the largest provider of mobile telephone services and the largest provider of fixed telephone (landline) services in the United States.

Reference: Five things to know about the AT&T data breach
Reference: Cyber-attack on Hydro
Incident: Ransomware Attack Shuts Down Large US Furniture Company

Bassett Furniture was forced to shut down its manufacturing facilities following a ransomware attack. Company officials are working to bring impacted systems back online and implement workarounds in order to reduce the disruption.

“As a result of the Company’s containment measures, which included shutting down some systems, the Company has not been, and, as of the date of this Report is not operating its manufacturing facilities,” Bassett Furniture said in an 8-K filing with the Securities and Exchange Commission.

Reference: Bassett Furniture reports significant cyber incident
Victim: Bassett Furniture

Bassett Furniture is one of the largest manufacturers and marketers of furniture in the USA operating nearly 90 stores across the country

Reference: Furniture giant shuts down manufacturing facilities after ransomware attack
Reference: Stellantis Demands $26M In Damages From Chinese Supplier Sparking Lawsuit
Reference: Qilin ransomware claims attack on automotive giant Yanfeng
Incident: Theft of Intellectual Property at Volkswagen Took Place over Several Years.

[Publicly reported April 2024]
Suspected Chinese state hackers breached Volkswagen’s systems and stole sensitive information over several years (2010-2015), including details about gasoline engines, transmission development, fuel cells, and electric vehicle initiatives. At least 19,000 documents related to the company’s research and development were exfiltrated.

ZDF frontal and "Spiegel" were able to view more than 40 documents as part of an international cooperation on Chinese espionage activities in Europe
showing what the data thieves stole.

Reference: Multi-year Volkswagen breach points to Chinese hackers
Reference: The big hack at VW – China in focus
Incident: Major Aircraft Component Manufacturer Scammed out of $50Million

Fischer Advanced Composite Components AG (FACC) was swindled a record 42 million euros (around $47 million) through a spear-phishing attack.

A fake email that impersonated its then CEO Walter Stephan, conned one of FACC’s financial department employee into wiring 50 million euros that was supposedly for one of the company’s acquisition projects.

FACC is a major designer and manufacturer of aircraft components and systems, with a client base that includes Boeing, Airbus, Rolls-Royce, Siemens SAS and Mitsubishi Heavy Industries.

Victim: Fischer Advanced Composite Components AG (FACC)

FACC is a major designer and manufacturer of aircraft components and systems, with a client base that includes Boeing, Airbus, Rolls-Royce, Siemens SAS and Mitsubishi Heavy Industries.

Reference: Austrian Aeronautics Company Loses Over €42 Million to BEC Scam
Incident: Popular Home Electronics Manufacturer, boAt, hit by Ransomware Attack

Popular Indian audio products and smartwatch maker boAt has suffered a massive data breach with personal information of more than 7.5 million customers leaking and selling on the dark web.

Forbes India reports: The leaker's profile (ShopifyGUY) is relatively new and only has this leak under his belt. As the data is genuine, the hacker will gain a good reputation among the forum community

Reference: Hit with massive data breach, boAt loses data of 7.5 million customers
Victim: boAt

boAt, Indian audio products and smartwatch maker.

Founded in 2016 by Shark Tank judge Aman Gupta and Sameer Mehta, boAt has emerged as the second most popular wearable brand in the third quarter of 2023, as per an IDC report. The Gurugram-based company is widely popular among Indian consumers and is known for its reasonable earphones and other audio products. It also makes other products, like smartwatches and speakers.

Reference: Over 7.5 million boAt users personal information leaked in a major data breach
Reference: Name, address, contact number, email ID and other details of 7.5 million Boat customers leaked on Dark Web, claims report
Incident: Ransomware attack at Synnovis Throws >3000 UK Hospitals into Chaos

Synnovis was hit by a ransomware cyber-attack on Monday 3 June 2024.
NHS reports that this attack has caused significant disruption in south east London across a range of different treatments.

The hackers executed the breach by injecting malware into Synnovis’s IT system. This software locked the entire computer system until a ransom was paid to regain control and remove the ransomware. The ripple effect was significant as over 3,000 hospital and GP appointments were thrown into chaos as a direct result.

Synlab, the parent company of Synnovis, experienced a total of three significant cyber security breaches in the past year.

Reference: Criminal gang behind London hospitals cyberattack lists victim on darknet site
Reference: NHS confirms patient data stolen in cyber attack
Victim: Synnovis

Synnovis, a pathology partnership between SYNLAB, Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust. Synnovis also provides specialist tests for other hospitals in the country,

Reference: Former NCSC Head: Synnovis Ransomware Cyber Attack Caused by Trilogy of Issues
Reference: Synnovis Ransomware Cyber-Attack
Incident: Wichita City Ransomware Attack Shuts Down Services

The cyberattack at the city of Wichita, Kansas water system targeted water metering, billing and payment processing. All water systems are secure. Other Wichita’s services were also affected and off line.

Hackers copied files from the city’s network, and the city shut down many online services, buying time to minimize the damage. Wichita will temporarily lean on paper records and performing more administrative chores by hand. The City will not shut off any water accounts. KSN News reported that al

Reference: City of Wichita water bill payment system up after cyberattack
Reference: City of Wichita says cyberattack did not hurt water systems, other FAQs
Victim: City of Wichita

City of Wichita, KS, USA

Reference: Wichita ransomware attack shuts down multiple services. What comes next?
Reference: City of Wichita water bill payment system up after cyberattack
Incident: Illegal App Renders 80% of Bicycles Out of Use in Bologna, Italy

A pirated app caused the bike-sharing service in Bologna to crash putting most of the bikes out of service. The illegal platform compromised the functioning of the bike sharing service, rendering 80% of the available bikes unusable.

The application in question was available online and allowed users to bypass the security systems of the bike sharing service, unlocking bicycles without the need for a regular subscription or payments. This breach created a significant disservice for the many users who rely on bike sharing for their daily travel around the city.

Reference: Hackers Write Illegal App That Paralyzes Bike Sharing. 80% of Bicycles Are Out of Use
Incident: Large Scale Data Breach Disrupts >200 Indonesian Government Agencies

On June 20th, one of the temporary National Data Centers suffered a cyberattack that encrypted the government's servers and disrupted immigration services, passport control, issuing of event permits, and other online services. The government confirmed that a new ransomware operation, Brain Cipher, was behind the attack, disrupting over 200 government agencies.

The Ministry of Communication and Information Semuel Abrijani Pangerapan said "Regarding security, we have succeeded in carrying out quarantine or isolation in the affected areas."

Victim: Indonesian Government

Indonesian Government

Reference: Meet Brain Cipher — The new ransomware behind Indonesia’s data center attack
Threat Actor: Brain Cipher

Brain Cipher is a new ransomware operation launched in June 2024, conducting attacks on organizations worldwide.

Brain Cipher will breach a corporate network and spread laterally to other devices. Once the threat actors gain Windows domain admin credentials, they deploy the ransomware throughout the network.

In latest hack the data encryptor is based on the leaked LockBit 3 encryptor, thoroughly analyzed in the past, unless Brain Cipher tweaked the encryption algorithm, there are no known ways to recover files for free.

Reference: BBSN Says PDNS 2 Disruption Due to Braincipher Ransomware
Incident: Dynamo Software hit by Ransomware Attack

Dynamo detected suspicious activity on its US-based servers which was determined to be a ransomware attack. Dynamo states that it took its systems offline while the
suspicious activity was investigated, and systems were restored.

Victim: Dynamo Software

Dynamo Software

Reference: Notice of Dynamo Software Data Security Incident
Incident: Ransomware Attack at Dutch Eurotrol B.V.

Eurotrol B.V. recently fell victim to a ransomware attack by the BlackSuit group. The ransomware encrypted files on Eurotrol's systems, appending the .blacksuit extension and leaving a ransom note named README.BlackSuit.txt. The note directed Eurotrol to a Tor chat site for further communication with the attackers.

Reference: Eurotrol Data Breach on June 13, 2024
Reference: Eurotrol B.V. Hit by BlackSuit Ransomware, Disrupting Diagnostic Services
Reference: Keytronic confirms data breach after ransomware gang leaks stolen files
Reference: Keytronic Says Personal Information Stolen in Ransomware Attack
Reference: Website of Israeli Oil Refinery Taken Offline by Pro-Iranian Attackers
Incident: Multiple Data Breaches at Maritime Industry Authority (MARINA)

MANILA, Philippines – The Maritime Industry Authority (MARINA) confirmed that a cyberattack compromised at least four of its systems, becoming the latest victim in a growing list of government agencies that have recently faced data breaches.

The attack, which happened on Sunday, June 16, hit four of MARINA’s “web-based systems.” MARINA’s systems manage various types of information, including vessel registrations, seafarers’ information documents, and record books. MARINA said that it aimed to bring systems back online “to receive and process applications on Tuesday, June 18, 2024.”

On July 4, MARINA assured stakeholders its newly launched, blockchain-enabled online certification system has been made more secure. It now employs a two-factor authentication during log-in. Only MARINA clients are allowed to register and use the program.

Reference: MARINA launches ‘safer’ blockchain-enabled portal after data breach
Victim: Maritime Industry Authority (MARINA)

Maritime Industry Authority (MARINA) in the Phillipines

Reference: MARINA assures seafarers’ data safe after cyber attack
Incident: Ransomware Attack at Vietnam Post Takes Systems Offline

The Vietnamese government-owned postal service has restored operation of its services after they were down for several days due to a cyberattack.

Vietnam Post was reportedly hit by ransomware on June 4, affecting the operation of its postal and delivery services. At the time, the company reported that its financial, administrative, and goods distribution services were unaffected by the attack.

Victim: Vietnam Post

Vietnamese government-owned postal service

Reference: Vietnam’s state postal service claims to restore its systems after cyberattack
Incident: Cloud Provider Snowflake Suffers Snowballing Data Breach

The number of alleged hacks targeting the customers of cloud storage firm Snowflake appears to be snowballing into one of the biggest data breaches of all time. The earliest evidence of unauthorized access to Snowflake customer instances occurred on April 14, according to Mandiant's June 10 threat intelligence report on the attacks.

Alleged affected customers are Ticketmaster (560 million records), Santander (30 million records), automotive giant Advance Auto Parts (380 million records/3TB),LendingTree and QuoteWizard (190 million records/2TB). Neither LendingTree nor Advance Auto Parts has filed breach notifications with the Securities and Exchange Commission at this time.

Reference: Overview of the Snowflake Breach: Threat Actor Offers Data of Cloud Company’s Customers
Reference: Snowflake account hacks linked to Santander, Ticketmaster breaches
Reference: Advance Auto Parts stolen data for sale after Snowflake attack
Reference: The Snowflake Attack May Be Turning Into One of the Largest Data Breaches Ever
Victim: Snowflake Inc

Snowflake Inc. is an American cloud computing–based data cloud company based in Bozeman, Montana. It was founded in July 2012 and was publicly launched in October 2014 after two years in stealth mode. The firm offers a cloud-based data storage and analytics service, generally termed "data-as-a-service"

Incident: Threat Actor targets Russia’s Aviation Sector.

A threat actor known as "Sticky Werewolf" is using layered infection chains to compromise organizations involved with Russia's aviation industry. The group has been around since at least April 2023, and seems to be interested in espionage relating to the conflict between Russia and Ukraine.

The group was targeting public organizations in Russia and Belarus, but recent targets have included a pharmaceutical company and a Russian research institute involved in microbiology and vaccine development. In prior campaigns, Sticky Werewolf phishing emails included links to download malicious files. Now, its infections are notably more complex. The final payload will be some sort of commercial remote access Trojan (RAT).

Threat Actor: Sticky Werewolf

The group, tracked as “Sticky Werewolf,” is suspected of having geopolitical and/or hacktivist motivations has been linked to cyber campaigns targeting public organizations in Russia and Belarus since at least April 2023.

Victim: Russian Aviation Industry

Russian Aviation Industry

Reference: ‘Sticky Werewolf’ APT Stalks Aviation Sector
Incident: AMD Investigates Potential Cyberattack by IntelBroker

AMD is investigating whether it suffered a cyberattack after a threat actor put allegedly stolen data up for sale on a hacking forum, claiming it contains AMD employee information, financial documents, and confidential information. "We are aware of a cybercriminal organization claiming to be in possession of stolen AMD data," AMD told BleepingComputer in a statement.

The threat actor, IntelBroker, shared screenshots of some of the supposedly stolen AMD credentials but has yet to disclose how much they are selling it for or how it was obtained.

Reference: AMD Hack Won’t Have a Material Impact on Business, Company Says
Incident: Multiple Day Outage at Oahu Transit Services.

Oahu’s bus and transportation services have been suffering from a network outage that may be a ransomware attack originating in Malaysia -Dragonforce is the alleged hacker group . “Oahu Transit Services’ (OTS) online services including the website, HEA, and related real-time transit and GPS apps are currently unavailable,” the statement said.

Reference: FBI, Police Investigate Possible Ransomware Attack At TheBus, Handi-Van
Reference: AMD investigates breach after data for sale on hacking forum
Reference: AMD Investigates Potential Cyberattack by IntelBroker Hacking Group
Incident: Cactus Ransomware Group Claims they stole 1.5TB of Schneider Electric data

Manufacturing industry giant Schneider Electric’s Sustainability Business Division suffered a ransomware attack where the attacker accessed some customer data earlier this month.

The Cactus ransomware gang stole terabytes of corporate data during the cyberattack and is now extorting the company by threatening to leak the stolen data, according to a report in BleepingComputer.

Reference: Cactus ransomware hackers say they stole terabytes of Schneider Electric data
Reference: Schneider Business Unit Hit In Ransomware Attack
Incident: Ransomware Attack at Soon Lian Holdings

Soon Lian Holdings announced they suffered a ransomware attack on the evening of July 3. The group said there has been no significant impact to its business operations and that it activated its business continuity plan immediately after.

Victim: Singaporean F&B group YKGI

Singaporean F&B group YKGI - abbreviation for Yew Kee Group International. YKGI Limited is an established home-grown food & beverage (F&B) operator with a track record of more than 30 years. The company owns and operates a diverse portfolio of brands including Yew Kee Duck Rice, XO Minced Meat Noodles, My Kampung Chicken Rice, PastaGo and Victoria Bakery.

Incident: Cyberattack at Singaporean F&B group YKGI

Singaporean F&B group YKGI, which operates brands such as CHICHA San Chen, Yew Kee Duck Rice, and Kampung Kopi House, has been hit with a cyberattack.

The data breach occurred with the company’s customer relationship management (CRM) platform, which is operated by a third-party vendor. The hacker got hold of one of the vendor’s shared servers, and was able to access the CHICHA San Chen membership database stored there.

Reference: Data breach hits F&B operator YKGI
Victim: Soon Lian Holdings Ltd

Soon Lian Holdings is an investment company that distributes aluminum alloy parts for engineering, marine, precision, and semiconductor. The company is based in Singapore,

Reference: Soon Lian Holdings reports ransomware attack
Incident: Databreach at TotalEnergies exposes over 200,000 Customers

TotalEnergies Clientes SAU has reported a significant cyberattack that has compromised the personal data of 210,715 customers. "The company is collaborating with the Police and the Spanish Data Protection Agency "to initiate all relevant legal actions against those responsible for this action."

The incident has raised serious concerns about data security and the integrity of digital infrastructures in the energy sector.

Victim: TotalEnergies SE

TotalEnergies SE is a French multinational integrated energy and petroleum company founded in 1924 and is one of the seven supermajor oil companies.

Reference: Total Energies suffers a cyber attack on the data of 210,715 customers [machine translated]
Reference: TotalEnergies Cyber Attack: Data of 210,715 Customers Exposed
Incident: Ransomware Attack at Engineering and Construction Company Hiap Seng Industries

Hiap Seng Industries, a prominent engineering and construction company, has fallen victim to a ransomware attack that compromised its servers. The company has swiftly taken measures to contain the breach and ensure the continuity of its business operations.

Hiap Seng Industries reported that there has been no material impact on its business operations due to the incident.

Victim: Hiap Seng Engineering Ltd.

Hiap Seng Engineering Ltd. is an industrial building construction company. HQ in Singapore

Reference: Hiap Seng latest victim of cyber attack
Incident: BlackSuit Ransomware Attack at CDK Global Causes Widespread Disruption

On June 19 CDK Global, a major car dealership software company suffered a cyberattack prompting the company to take all systems offline “out of an abundance of caution." Reuters reported CDK took down its dealer management system at more than 15,000 retail locations.

The outage has impacted about half of Volkswagen dealers and around 60% of Audi's dealers and several card retailers also flagged disruptions. Dealers moved back to traditional pen and paper format to conduct operations. As a result new car sales for June are projected to fall.

The hacker group was identified as BlackSuit. As of Wednesday, July 3, the company is still working to get all impacted dealers back online. The date all dealerships using CDK are expected to be back online following the attack is July 4.

Threat Actor: BlackSuit

BlackSuit emerged in May 2023 and mainly targets US companies in the education and industrial goods sectors. BlackSuit uses a double-extortion method and other tactics, techniques, and procedures (TTPs) that reflect a maturity atypical of a group that's only been around for a year. This reflects its origin in Royal, which in turn was comprised of members of the formidable and now-defunct Conti ransomware gang.

Reference: Why a hack at CDK Global is casting a shadow on US auto sales
Reference: CDK Global cyberattack: Timeline of the hack, outages and when services could return
Victim: CDK Software

CDK Global Inc. is an American multinational corporation based in Austin, Texas, providing data and technology to the automotive, heavy truck, recreation, and heavy equipment industries.

Incident: Nearly All Systems Offline for Weeks at Global Forklift Manufacturer

Crown Equipment Corporation, the world’s fourth largest forklift manufacturer, has resumed global manufacturing after a cyberattack that took nearly all of its systems offline for several weeks. Since June 8 the company faced significant operational disruption. On July 4 Crown says its 24 global manufacturing plants were back in operation after being suspended on June 10.

Crown confirmed that the multi-week operations disruption resulted from a social engineering attack by an international cybercrime group.

Reference: Crown Equipment Confirms a Cyber Attack by a Cybercrime Group After a Multi-Week Disruption
Victim: Crown Equipment Corporation

Crown Equipment Corporation is the world’s fourth largest forklift manufacturer. Crown was founded in 1945, employs 19,600 people globally and has more than 500 retail locations in 80 countries.

Reference: Crown back in production after cyberattack
Incident: Prolonged effects of Cyberattack on City of Leicester almost Two Months after Initial Attack

The council disabled its phone and computer systems on 7 March after a "cyber incident". The issue lead to prolonged disruption:
-BBC reports on April 3; 25 stolen documents had been posted online but now a "much larger batch" has been released. Council bosses said the attack on its systems was "highly sophisticated".
The council said its IT networks were now back online and that a known ransomware group was responsible.
-BBC reports on April 23 : wider effects of the cyberattack continue to show, including a number of street lights that are staying on during the day. "This means we are currently not able to remotely identify faults in the street lighting system. A number of steps are required to resolve the problem, and we are working through these as quickly as we can." says a city council spokesperson.

INC Ransom claimed responsibility for the attack.

Victim: Leicester City Council.

Leicester City Council, UK

Reference: Stolen data published after Leicester cyber-attack
Reference: Cyber-attack leaves Leicester street lights permanently on
Reference: Leicester City Council’s services back online after ‘cyber incident’
Incident: Northern Minerals Hit in Ransomware Attack

Australian mining company, Northern Minerals, fell victim to a cybersecurity breach back in March that led to data stolen appearing on a publishing site on the dark web, officials said Tuesday.
Northern Minerals mines and develops heavy rare earth elements like dysprosium and terbium. These materials end up used in electronics, batteries, and aircraft.
The miner revealed the threat actors stole data from its systems in late March and then published it on the dark web.

Reference: Aussie Mining Firm Hit In Ransomware Attack
Victim: Northern Minerals

Northern Minerals mines and develops heavy rare earth elements like dysprosium and terbium. These materials end up used in electronics, batteries, and aircraft.

Incident: McKim & Creed Engineering Firm Suffers Cyberattack

Raleigh, North Carolina-based McKim & Creed suffered a cyberattack on its network that disrupted some business aspects.
“On February 11, 2024, McKim & Creed discovered suspicious activity on certain computer systems, resulting in the disruption of certain business functions,” the company said in an advisory last week. “McKim & Creed immediately responded and launched an investigation with outside cybersecurity specialists to confirm the nature and scope of the incident and restore impacted computer systems to full, secure operability.
“Through the investigation, McKim & Creed learned that an unauthorized actor accessed its systems and may have viewed or acquired business data containing certain employee information between December 15, 2023 to February 11, 2024. McKim & Creed conducted a review of the data that was potentially viewed or acquired to determine whether it contained any sensitive information.
“While the review was ongoing, McKim & Creed notified certain impacted individuals of the incident on February 28, 2024. On May 3, 2024, McKim & Creed determined what personal information related to employees and dependents was included in the potentially impacted data set. After determining the scope of information in the potentially impacted files, McKim & Creed undertook efforts to locate address information for the affected individuals, put resources in place to assist, and provide direct notice.”

Reference: NC Engineering Firm Hit In Cyberattack
Victim: McKim & Creed

Raleigh, NC-based engineering services firm. McKim & Creed is an employee-owned firm with more than 800 staff members. It has offices in North, Carolina, South Carolina, Florida, Virginia, Texas, Louisiana and Pennsylvania. The company started up in 1978 and specializes in civil, environmental, mechanical, electrical, plumbing, and structural engineering; industrial design-build services; airborne and mobile Lidar/scanning; unmanned aerial systems; subsurface utility engineering (SUE); and hydrographic and conventional surveying services for the energy, transportation, federal, land development, water and building markets.

Incident: Bimbo Bakeries USA Hit in Cyberattack

Horsham, Pennsylvania-based Bimbo Bakeries USA, Inc. and its affiliate Bimbo Foods Bakeries Distribution, LLC suffered a cyberattack on a server that processes information for the company and its affiliates.
On February 13, 2024, an affiliate of Bimbo Bakeries detected that an unauthorized third party gained remote access to a portion of the network used to process information for Bimbo Bakeries and its affiliates.
An investigation confirmed on February 13, 2024, the unauthorized third party accessed a portion of the network used to process information for Bimbo Bakeries and its affiliates, including one server used to process personal information of employees and vendors of Bimbo Bakeries, and obtained certain files containing personal information.

Reference: Cyberattack At PA Baked Goods Maker
Victim: Bimbo Bakeries USA, Inc. and its affiliate Bimbo Foods Bakeries Distribution, LLC

The largest bakery company in the United States.

Incident: Cyberattack at Tool Maker M.A. Ford Manufacturing

Tool maker, M.A. Ford Manufacturing Company, Inc. suffered a cyberattack over a two-day period at the end of last year, but did not discover it until May.
The incident affected 4,359 with information such as financial account number or credit/debit card number (in combination with security code, access code, password or PIN for the account) falling into the hands of the attackers.
“On December 14, 2023, we discovered unusual activity on our network,” the company said in an advisory. “We immediately began an investigation, which included working with third-party specialists. Our investigation determined an unknown party accessed portions of our network between December 12, 2023 and December 14, 2023. Therefore, we conducted a review of our network to determine the type of information contained therein and to whom the information related."

Reference: Tool Maker Hit In Cyberattack
Victim: M.A. Ford Manufacturing Company, Inc.

Since 1919, Davenport, Iowa-based M.A. Ford has grown from a small midwest maker of rotary files to a manufacturer of standard, high performance and custom cutting tools with manufacturing and distribution facilities all over the world.

Incident: Key Tronics Shut Down in Ransomware Attack

Key Tronic confirms that personal information was compromised after a ransomware group leaked allegedly stolen data. The cybersecurity incident caused widespread operational disruptions. As a precautionary measure, the company suspended operations in the US and Mexico for two weeks, with no disruption to other international operations.

The Black Basta ransomware gang leaked 530GB of the company's stolen data.

Reference: Ransomware Attack Shuts Key Tronic Operations
Victim: Key Tronic Corporation

Contract manufacturer and printed circuit board assembly (PCBA) manufacturing giant.

Incident: Ransomware Attack at Schuette

Metal fabricator, Schuette Inc., fell victim to a ransomware attack in April and is now in the process of notifying its customers.
“On or around April 18, 2024, Schuette became aware of certain unauthorized activity within its computer systems,” the Rothschild, Wisconsin-based company said in a filing. “Upon discovery, we immediately secured the network and swiftly engaged a third-party team of forensic investigators in order to determine the full nature and scope of the incident. On May 14, 2024, following a thorough investigation, we discovered that a limited amount of personal information may have been accessed by an unauthorized third party in connection with this incident.
“At this time, there is no indication that any information has been misused. However, we are providing this notification to you out of an abundance of caution and so that you may take steps to safeguard your information if you feel it is necessary to do so,” the company said.
In the filing, Schuette described the breach as a ransomware attack affecting 1,122 people.

Reference: WI Metal Fabricator Hit In Ransomware Attack
Victim: Schuette Metals Inc.

Schuette Metals is a full-service metal fabricator that manufactures components used in finished products by various OEMs in sectors, including architectural, agricultural, construction, defense, industrial, and access equipment.

Incident: Cyberattack at Cambrex Corporation

Cambrex is a global contract development and manufacturing organization (CDMO) that provides drug substance, drug product, and analytical services across the entire drug lifecycle.

Reference: Cyberattack At NJ Pharma Contract Manufacturer
Victim: Cambrex Corporation

Cambrex is a global contract development and manufacturing organization (CDMO) that provides drug substance, drug product, and analytical services across the entire drug lifecycle.

Incident: Cyberattack at Phillips Screw Company

Amesbury, Massachusetts-based The Phillips Screw Company suffered a “sophisticated” cyberattack that disrupted its day-to-day operations.
The breach occurred December 11 last year, but ended up discovered by the company May 10.
“The Phillips Screw Company detected a sophisticated cybersecurity incident that impacted our network on December 18, 2023,” the company said in a filing. “Due to this incident, we experienced limited disruption to our day-to-day operations and worked as quickly as possible to remediate and resume full business functionality. In doing so, we took immediate steps to mitigate the threat, including taking certain systems offline.”
The company said the threat actor was able to gain access and stayed on the system from Dec. 11 through Dec. 18.

Reference: MA Fastener Firm Suffers Cyberattack
Victim: The Phillips Screw Company

The Phillips Screw Company designs and engineers proprietary fastener technology, including high-performance drive systems for fastening applications in aerospace, automotive, DIY and trade, electronics, industrial, marine, military and header tools and gauging markets.

Incident: Ransomware attack at Lewis Brothers Bakeries

Evansville, Indiana-based Lewis Brothers Bakeries Inc. (LBBI) suffered a ransomware attack in March where files and servers ended up encrypted and threat actors were able to steal information from the network.
The company said in a notice, it discovered on April 18 attackers encrypted certain files on its servers and the attack affected 13,501 victims.
“LBBI immediately launched an investigation into the nature and scope of this activity, with the assistance of third-party forensic specialists,” the company said. “The investigation determined there was unauthorized access to the LBBI network between March 25, 2024, and April 1, 2024, during which time certain files were copied and taken from the network.
“LBBI undertook a comprehensive review of all data that was potentially subject to unauthorized access in order to identify the type of information impacted and to whom the information related. On April 18, 2024, LBBI completed this review.”

Reference: IN Bakery Hit In Ransomware Attack
Victim: Lewis Brothers Bakeries Inc.

Lewis Brothers Bakeries manufactures fresh and frozen bread and bread-type rolls, cakes, pies, and other perishable bakery products.

Incident: Cyberattack at Craft Beer Co.

Craft Beer Company GP, including its subsidiaries Duvel Moortgat USA, Ltd., Boulevard Brewing Company, and Brewery Ommegang, Ltd., fell victim to a cyberattack in March.
The attack led to the release of personal information to a third party for up to 1,584 people, according to a notice the Kansas City, Missouri-based company released May 8.
“On March 5, 2024, we discovered that an unauthorized third party gained access to our network,” the company said in a notice. “Upon becoming aware of the incident, we took immediate action to contain the incident and respond to it. Specifically, we promptly isolated all sites, shut down servers, and disconnected our system from the Internet.
“We also launched an internal investigation, contacted law enforcement, and engaged external cybersecurity forensic experts to conduct an external investigation into this intrusion and help to further secure our systems against any additional potential vulnerabilities."

Reference: Craft Beer Firm Hit In Cyberattack
Victim: Craft Beer Company GP

Beer manufacturer based in Kansas City, MO. Its subsidiaries include: Duvel Moortgat USA, Ltd., Boulevard Brewing Company, and Brewery Ommegang, Ltd.

Incident: Ransomware Attack at Nissan North America

Franklin, Tennessee-based Nissan North America, Inc. (NNA) is just now notifying workers and customers of a ransomware attack against the company this past November which it discovered at the end of February.
The targeted attack on an external VPN shut down some systems and resulted in affecting 53,038 people. It occurred November 7, 2023 and the company discovered it Feb. 28, 2024.
The company said in a report released Wednesday (May 15), “on November 7, 2023, NNA learned it was the victim of a targeted attack against its external VPN when a criminal threat actor deliberately shut down certain NNA systems and demanded a ransom.
“Immediately upon discovering the criminal attack, NNA (working very closely with external cybersecurity professionals experienced in handling these types of complex security incidents) investigated, contained, and successfully terminated the threat."

Reference: Nissan North America Hit In Ransomware Attack
Victim: Nissan North America

A wholly owned subsidiary of Nissan Motor Corporation of Japan.

Incident: Frontier Communications Hit in Attack

Telecom provider, Frontier Communications, suffered an attack from a cybercrime group that was able to get into some of its IT systems which also led to operational disruptions “considered material.”
After discovering the incident on April 14, the company said it partially shut down some systems to prevent the attackers from moving across the network, which also led to some operational disruptions.
The company said in an 8-K filing to the Securities and Exchange Commission (SEC), “On April 14, 2024, Frontier Communications Parent, Inc. detected that a third party had gained unauthorized access to portions of its information technology environment.
“Upon detection, the Company initiated its previously established cyber incident response protocols and took measures to contain the incident. As part of this process, the containment measures, which included shutting down certain of the Company’s systems, resulted in an operational disruption that could be considered material. Based on the Company’s investigation, it has determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information."

Reference: Frontier Communications Attacked, Suffers ‘Material’ Disruptions
Victim: Frontier Communications

Frontier is a major communications provider which provides gigabit Internet speeds over a fiber-optic network to millions of consumers and businesses across 25 states.

Incident: Cyberattack at Indiana Water Plant

A wastewater treatment plant in Indiana suffered a cyberattack Friday, forcing maintenance personnel to investigate the nature of the incident.
“We were targeted and we have not been compromised,” said Jim Ankrum, general manager of Tipton Municipal Utilities (TMU) in a CNN report. TMU provides electricity, water and wastewater treatment for Tipton, a town of 5,000 people that is about 40 miles north of Indianapolis. “TMU experienced minimal disruption and remained operational at all times.”
A Russia-linked hacking group claimed responsibility, according to the report. The same group claimed credit for a string of hacking incidents against water facilities in Texas earlier this year.

Reference: IN Water Plant Hit In Cyberattack
Victim: Tipton Municipal Utilities

“We were targeted and we have not been compromised,” said Jim Ankrum, general manager of Tipton Municipal Utilities (TMU) in a CNN report. TMU provides electricity, water and wastewater treatment for Tipton, a town of 5,000 people that is about 40 miles north of Indianapolis. “TMU experienced minimal disruption and remained operational at all times.”
A Russia-linked hacking group claimed responsibility, according to the report. The same group claimed credit for a string of hacking incidents against water facilities in Texas earlier this year.

Incident: Nexperia, Chip Maker Suffers Cyberattack

Netherlands-based chip manufacturer, Nexperia, suffered a cyberattack last week and ransomware attackers leaked samples of data it claims it stole from the semiconductor maker’s server.
As a result of the attack, the company said on Friday it shut down IT systems and launch an investigation to determine the scope of impact. It appears the attack came from a ransomware attack group.
In a statement, Nexperia said: “Nexperia has become aware that an unauthorized third party accessed certain Nexperia IT servers in March 2024.
“We promptly took action and disconnected the affected systems from the Internet to contain the incident and implemented extensive mitigation. We also launched an investigation with the support of third-party experts to determine the nature and scope of the incident and took strong measures to terminate the unauthorized access."

Reference: Chipmaker Nexperia confirms breach after ransomware gang leaks data
Reference: Chip Maker Nexperia Hit In Attack
Victim: Nexperia

Nexperia is a global semiconductor company – and a subsidiary of Chinese company Wingtech Technology – with over 15,000 employees across Europe, Asia, and the United States. Nexperia’s components enable the basic functionality of virtually every electronic design in the world, from automotive and industrial to mobile and consumer applications. The company serves a global customer base, shipping more than 100 billion products annually.

Incident: Attack Shuts Down Production at Lens Maker Hoya

Production of several of Hoya Corp.’s products shut down after a system failure, which was most likely the result of “unauthorized access” to its servers, company officials said Thursday.
Japanese lens maker Hoya said the company discovered a system discrepancy in one of its overseas offices Saturday and confirmed the disruption despite its efforts to isolate affected servers.
“The day before yesterday (March 30), we learned that the Group’s head quarter and several of its business divisions have experienced an IT system incident,” the company said in a statement they issued Monday. “The Company will work closely with each of its business divisions and sites, as well as with outside experts, to identify the nature and scope of the incident and to restore the situation as soon as possible.”

Reference: Production Shut Down For Lens Maker After Cyberattack
Victim: Hoya Corp.

Hoya is the world’s second-largest eyeglass lens maker, with 90 percent of its eyewear lens sales earned from outside of Japan, according to its latest annual report. A Hoya spokesperson declined to say whether any of the company’s other optical products, including components for chipmaking equipment and hard disc drives, ended up affected by the disruption.

Editorial: 2024 Threat Report
Reference: Production Shut Down For Lens Maker After Cyberattack
Incident: Acer Confirms Employee Data on Hacker Platform

Acer Philippines confirmed that employee data was stolen in an attack on a third-party vendor who manages the company's employee attendance data. "Earlier today a threat actor known as 'ph1ns' published a link to download a stolen database containing Acer employee data for free on a hacking forum."

Reference: Acer confirms Philippines employee data leaked on hacking forum
Incident: Databreach at Telco Tangerine Impacts 230K Inidviduals

Tangerine suffered a data breach that exposed the personal information of roughly 230,000 individuals. Tangerine management became aware of the incident 2 days after the breach, on Tuesday 20 February 2024.

The telecommunications provider pointed out that no financial information (credit or debit card numbers, banking details) has been compromised. The attack did not affect the availability or operation of their nbn® or mobile services.

Victim: Tangerine

Australian telecommunications provider Tangerine

Reference: Australian telecommunications provider Tangerine disclosed a data breach that impacted roughly 230,000 individuals.
Incident: Operations Impacted at Top Pediatric Hospital in US

Lurie Children’s Hospital in Chicago took IT systems offline after a cyberattack. The security incident severely impacted normal operations also causing the delay of medical care. Lurie confirmed that the attack disrupted the hospital’s access to the internet, email, phone services, and the MyChat platform. “The incident has impacted phones, emails, internet service, some elective surgeries and procedures even had to be canceled.”

Victim: Lurie Children’s Hospital

Lurie Children’s Hospital is one of the top pediatric hospitals in the United States. Formerly known as Children’s Memorial Hospital, it was renamed in recognition of Ann and Robert H. Lurie, who made a significant donation to the hospital.

Incident: Operations Disrupted in Cyberattack at Building Materials Manufacturer Simpson Strong-Tie Co.

Building and structural materials producer, Simpson Strong-Tie Co. Inc., is only now alerting customers in a letter dated March 19, about a cyberattack suffered back in October 2023. From October 9 to October 11 he attackers had access to data that included personal information about certain individuals. Additionally, at the time of the attack the company detected IT problems and application outages, which it soon realized was a cyberattack. In response to the situation, Simpson took all impacted systems offline.

“The incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations,” the company said in the report.

Victim: Simpson Strong-Tie Co. Inc.

Building and structural materials producer

Reference: CA Building Products Maker Releases Attack Info
Incident: Data Security Incident at Sierra Lobo (SLI), a US Aerospace Engineering Firm

Despite patching a vulnerability in a remote access tool, Fremont, Ohio-based Sierra Lobo, Inc. (SLI), suffered a data security incident the company feels launched before they applied the mitigation.

"Based upon the forensic investigation, this cybersecurity incident commenced through the exploitation of a vulnerability in our remote access tool, ScreenConnect. Despite the immediate application of a patch addressing the identified vulnerability, subsequent investigations suggest that the system remained compromised, indicating that the initial breach occurred prior to the patch application."

Victim: Sierra Lobo, Inc. (SLI)

Sierra Lobo, Inc. (SLI) is an engineering and technical services company specializing in creating and managing innovative space and aerospace technologies based in Fremont, Ohio, USA

Reference: Aerospace Engineering Firm Hit In Cyberattack
Incident: Southwest Binding & Laminating Hit by Ransomware Attack

Missouri-based Southwest Plastic Binding Company, known as Southwest Binding & Laminating, suffered a ransomware attack at the beginning of February that may have exposed personal information, company officials said.

On February 1, Southwest noticed unusual activity on its internal network from a Southwest domain account with administrator privileges. The company immediately began investigating the incident. “We responded by immediately taking all servers offline. Additionally, on this same day, remediation efforts began, including efforts to restore critical business files and services."

Victim: Southwest Plastic Binding Company

Southwest Plastic Binding Company, MO

Reference: Plastic Binding Maker Hit In Ransomware Attack
Reference: Data Breach Notifications (Fincantieri)
Reference: Ransomware Hits Navy Contractor
Reference: Ransomware attack on US Navy shipbuilder leaked information of nearly 17,000 people
Reference: Ransomware Hits Navy Contractor
Incident: Massive Data Leak after Cyberattack at Kenya Airways

Kenya Airways appears to have been hit by a cyberattack by Ransomexx ransomware group on December 30, 2023 leading to a massive data leak including highly sensitive and confidential data that they uploaded on the dark internet.

The airline now suffers the aftermath of a targeted cyberattack that has exposed sensitive information. Exposed documents encompass a wide array of highly sensitive information, from aircraft accidents and investigations into employee misconduct to confidential agreements, insurance policies, passwords, and customer complaints.Documents leaked cover aircraft accidents, investigation reports into employee misconduct like fraud, theft, policy violations.

Threat Actor: Ransomexx

Ransomexx ransomware group is a Human-Operated Ransomware (HumOR) that has existed since May 2020.

Victim: Kenya Airways

Kenya Airways

Reference: Data Breach: Kenya Airways Hacked, Sensitive And Confidential Files Leaked
Reference: Kenya Airways Faces Ransomware Attack
Incident: Data Security Breach at Alkem Laboratories

Alkem Laboratories, a major pharmaceutical company, acknowledged a cybersecurity incident that resulted in a fraudulent transfer of $6.2M from one of its subsidiaries. The breach involved compromising the business email IDs of some employees at the subsidiary, though the exact details of the security breach were not disclosed by Alkem.

Reference: Alkem Labs Cybersecurity Incident Disclosed
Reference: CYBER CRIMEPharma Giant Alkem Laboratories Faces Security Breach, Rs 52 Crores at Stake
Victim: Alkem Laboratories

Alkem Laboratories, a major pharmaceutical company

Incident: Cyberattack Targets Bazan Group’s Digital Infrastructure

Anonymous Sudan, a notorious hacking group, has claimed responsibility for a substantial cyberattack on Bazan Group, formerly known as Oil Refineries Ltd, Israel’s primary oil refining and petrochemicals company. The attack targeted the digital infrastructure of Bazan Group, raising concerns about potential implications for Israel’s economic powerhouse. While the hacking collective declared a major cyber offensive, Bazan Group confirmed a temporary and minor connectivity slowdown, emphasizing no damage to business or operational processes.

Reference: Anonymous Sudan Targets Bazan Group
Incident: Network Disruptions after Cyberattack on Israel’s Mobile Service Provider, Pelephone

Hacktivist group Anonymous Sudan has claimed responsibility for a cyberattack on Israel’s largest mobile service provider, Pelephone, resulting in disruptions to its network and digital infrastructure. The group declared the attack as part of its ongoing campaign against prominent Israeli targets, specifically mentioning the impact on Pelephone’s critical systems, including SCADA and other infrastructure-based endpoints.

The cyberattack was claimed by Anonymous Sudan to have practically taken Pelephone’s entire digital infrastructure offline through a sophisticated cyberattack.

Victim: Pelephone

Israeli cellphone provider

Reference: Israeli Cellular Provider Pelephone Hacked
Incident: Ukranian Oil and Gas Company Naftogaz Hit by Cyberattack

State-owned critical infrastructure companies in Ukraine fell victim to cyberattacks on Thursday, with the largest oil and gas company, Naftogaz, being among the targets. The cyber assailants targeted Naftogaz’s data center, leading to the complete inactivity of the company’s website and call centers.

As of the latest update, specialists from Naftogaz are actively working to resolve the incident, promising further comments on the nature of the attack. Naftogaz, a cornerstone of Ukraine’s energy industry employing 100,000 people and supplying gas to over 12 million households, faces a critical situation, and the motive and identity of the attackers remain unclear.

Victim: Naftogaz

Naftogaz is a cornerstone of Ukraine’s energy industry employing 100,000 people and supplying gas to over 12 million households

Reference: Naftogaz Operations Halted Amid Cyber Crisis
Reference: Outages due to a cyber attack on the “Parkovy” data center [machine translated]
Incident: Phishing Attack Hits South African Railways

South Africa’s railway agency, PRASA, recently disclosed a significant loss of $1.6 million due to a phishing scam in its annual report. Despite efforts to recover the stolen funds, just over half has been successfully retrieved, leaving the investigation ongoing. While details of the attack remain undisclosed, security experts suspect insider involvement, underscoring the importance of addressing insider threats within organizations.

Victim: Passenger Rail Agency of South Africa [PRASA]

South African Railways

Reference: Passenger Rail Agency of South Africa – annual report
Reference: South African Railways Phishing Scam
Page: Request Access to the 2023 Report

Incident: Hacktivists Claim DDoS Attacks on stateowned airline FlyDubai

United Arab Emirates' government-owned airline Flydubai was claimed to be subjected to several distributed denial-of-service attacks by the self-proclaimed hacktivist operation Anonymous Sudan.

FlyDubai has yet to respond to the claimed compromise by Anonymous Sudan.

Reference: Anonymous Sudan allegedly conducted a cyber attack on FlyDubai and disrupted its network
Reference: Flydubai targeted by Anonymous Sudan DDoS attacks
Reference: A ransomware-type cyber attack affected hospitals in Romania
Incident: SAS Scandinavian Airlines’ App Compromised by a Cyberattack

SAS Scandinavian Airlines was hit by a cyber attack on February 14th, compromising its app. The airline was said to be working on a solution, with reports saying that the problem was fixed to a large extent. Still, SAS warned that the attack may have targeted customer data following the breach.

Reference: Hackers Target SAS Network And Compromise App
Reference: SAS Cyber Attack Chaos
Incident: Lockbit Demands $100K after Ransomware Attack at UAE Telecoms Group

ETISALAT, state-owned Emirates Telecommunications Group Company in the UAE, is reportedly grappling with a ransomware attack attributed to LockBit ransomware group. The hackers are demanding $100,000 for the return of the pilfered data, setting a deadline of April 17th.

The attack has seen sensitive data belonging to Etisalat uploaded onto the Lockbit website, with the cybercriminals demanding a substantial $100,000 ransom for its security. ETISALAT official website remains accessible, raising doubts about the validity of LockBit's claims.

Victim: Etisalat

Etisalat UAE Telecom company

Reference: Etisalat Hit by Lockbit Ransomware
Reference: UAE Telecom Giant ETISALAT Hit by LockBit, $100K Demanded for Data Release
Incident: DDoS Attack Disrupts Copenhagen Airport

The Copenhagen airport experienced a significant cyberattack on a Sunday, causing widespread chaos as Denmark’s largest airport grappled with the aftermath. Identified as a denial of service (DoS) attack, the attack targeted the airport’s digital infrastructure, rendering its official website inoperative and leaving passengers and officials struggling for alternatives.

Airport authorities redirected passengers to a smartphone app for flight updates, highlighting the vulnerability of critical systems and the disruptive potential of cyber threats.

Victim: Copenhagen Airport

Copenhagen Airport

Reference: Cyberattack Hit Copenhagen Airport
Incident: Cyberattack at Macedonian Electricity Transmission Operator (MEPSO)

The Electricity Transmission System Operator of the Republic of North Macedonia (MEPSO) said it is dealing with a cyberattack, but stressed in a press release Thursday that the integrity of the power grid and the supply of electricity have not been threatened.

The state-owned company said its critical energy infrastructure was not the target of the attack and it remains secure and fully functional.

Reference: MEPSO is facing a cyberattack, the network and power supply are not threatened
Victim: MERPSO

Electricity Transmission System Operator of the Republic of North Macedonia (MEPSO)

Reference: MEPSO hit by cyberattack, power grid and electricity supply not threatened
Incident: Belgian Coffee Roaster Suffers Cyberattack

Koffie (coffee) Beyers from the Belgian town of Puurs-Sint-Amands has fallen victim to a cyber attack. Hackers managed to break into the company’s computer systems on Thursday. The coffee roaster itself declined to comment on the events. Police have confirmed that an investigation is underway.

Earlier in the week there was the ransomware attack on Duvel Moortgat, and the pro-Russian hacker group Stormous Group was behind it. It remains to be seen if they are also behind this attack. Cybercriminals are clearly targeting Belgian beverage producers this week.

Victim: Koffie Beyers

Koffie Beyers, Belgium's largest coffee brewery.

Reference: Belgium’s largest coffee roaster falls victim to cyber attack
Reference: Belgian village whose brewery was hit by cyberattack faces another on its coffee roastery
Incident: German Railway Company Transdev Website Access Restricted

An online attack on the railway company Transdev has temporarily led to restrictions on the websites of the Nordwestbahn and the Rhein-Ruhr-Bahn on Monday and Tuesday.

The attackers had directed a spam wave at forms on the Nordwestbahn page on Monday morning, Transdev announced on Tuesday on request. The measures undertaken were gradually reduced the next day. "The Rhein-Ruhr-Bahn, the website is accessible again without problems. Only on the Nordwestbahn website, increased protective measures are currently still ongoing, which are still being readjusted," it was said.

Reference: Spam wave hits Nordwestbahn and Rhein-Ruhr-Bahn
Victim: Transdev

Railway company Transdev

Incident: Hyundai Motor Europe Suffered Black Basta Ransomware Attack

Car maker Hyundai Motor Europe suffered a Black Basta ransomware attack, with the threat actors claiming to have stolen three terabytes of corporate data. Hyundai confirmed to BleepingComputer that they suffered a cyberattack.
BleepingComputer reports learning Black Basta ransomware operation conducted the attack in early January, when they claimed to have stolen 3 TB of data from Hyundai Motor Europe.

Reference: Hyundai Motor Europe hit by Black Basta ransomware attack
Incident: Hackers Attempt Communications Take Over on El Al Flights

At least two planes from Israel's El Al Airlines suffered hacking attempts from "hostile elements," according to several Israeli news outlets. The Jerusalem Post reported that "hostile elements" tried to take over the communications network of an El Al plane flying from Phuket, Thailand, to Ben-Gurion airport in Israel on Saturday night.

During the incident, instructions were given to the crew that were different from their set route, raising concerns that someone was trying to damage the plane or lead it to dangerous areas, maybe even to conduct a kidnapping.

El Al stressed that "the disturbances are not aimed at El Al planes and that this is not a security incident. The disruption did not affect the normal course of the flight

No group has claimed responsibility for the reported hacking attempts.

Reference: Israeli Planes Targeted in Attempted Takeover
Reference: Israeli flight from Thailand faced attack by ‘hostile elements’
Victim: El AL airlines

Israeli airline El Al

Incident: More than 100 Hospital offline in Romania

Over a hundred Romanian healthcare facilities have been been affected by a ransomware attack, with some doctors forced to resort to pen and paper. Children's and emergency hospitals were among those hit, with other facilities going offline as a precaution. 25 Hospitals were affectec by the attack and 79 other healthcare facilities were taken offline while investigations were carried out to determine if they had been affected.

The cyber extortionists demanded 3.5 Bitcoin, worth over £130,000, to unlock vital files which they had encrypted. But Romanian cyber officials said data had been recently backed up, reducing the impact.

Victim: Hipocrate Information System (HIS)

Romanian Hospital Health information system : Hipocrate Information System (HIS),

Malware: Backmydata ransomware

Backmydata ransomware targets Remote Desktop Protocol (RDP) vulnerabilities, including weak credentials. Upon gaining a foothold, Backmydata establishes persistence, disables firewalls, encrypts, and exfiltrates data. It also deletes backups to prevent victims from restoring their systems without paying the ransom. It was linked to the Romanian hospitals attack in Feb 2024.

Reference: Ransomware attack hits dozens of Romanian hospitals
Reference: Hospitals offline across Romania following ransomware attack on IT platform
Incident: Alamos Gold Mining Company Discloses 2023 Databreach

Alamos Gold (TSX: AGI; NYSE: AGI) fell victim to a cyberattack that saw confidential corporate data get disclosed to the public last year, according to an exclusive scoop by Toronto-based newspaper The Star.

The data breach took place some time in April 2023. The data included sensitive information such as social insurance numbers, payroll reports, financial information, and home addresses and cell numbers for senior executives, all of which were published online by the hackers, the report said.

Victim: Alamos Gold

Mining company

Reference: Alamos Gold fell victim to cyberattack last year – report
Incident: Radiant Logistics Isolates Canadian Operations after Cyberattack

Radiant Logistics, an international freight technology company said it has cut off a portion of its business in Canada after a cyberattack. The Company proactively took measures to isolate its Canadian operations from the rest of its network. The incident has caused service delays for customers in Canada.

Despite the shutdown, the filing says the incident is not “reasonably likely to materially impact the Company's financial conditions.” No ransomware gang has taken credit for the incident.

Victim: Radiant Logistics

Radiant Logistics is an international freight technology company

Reference: International freight tech firm isolates Canada operations after cyberattack
Incident: Cyberattack Affects Communications at KCATA Transit

A ransom cyber-attack hit the KCATA early Tuesday, January 23. The company website notes "The primary customer impact is that regional RideKC call centers cannot receive calls, nor can any KCATA landline. All service is operating, including fixed-route buses, Freedom and Freedom-On-Demand paratransit service. KCATA is working around the clock with our outside cyber professionals and will have systems back up and running as soon as possible."

Victim: KCATA – Kansas City Area Transportation Authority

Kansas City Area Transportation Authority

Reference: Cyber-Attack hits KCATA. Communications affected.
Incident: Weeks of Operational Shutdown at Welch Foods Plant

A cyberattack shut down production at Welch Foods Inc. plant in North East on Feb. 2. The plant restarted jam and jelly production lines end of February.

About 50 or 60 employees, who are members of Teamster's Local 397 in Erie, remained on the job throughout February and over 200 employees were laid off.

Victim: Welch Food

Welch Food

Reference: Welch plant in North East restarts after cyber attack shuts facility down for 3 weeks
Incident: International Paper takes Mill Operations Offline after Cyberattack

International Paper is in the process of starting up its Riegelwood Mill after shutting it down due to a cyberattack, a company spokesperson said Thursday morning.

"Late last week, we experienced a cyberattack event on our operating systems at our mill in Riegelwood, N.C.," IP spokesperson Kimberly Clewis wrote in a statement. "Thankfully, everyone at the mill is safe and there have been no environmental issues."

The statement said that "out of an abundance of caution, we coordinated an orderly shutdown of the mill to resolve the issue and are in the process of starting up the mill."

Clewis said the attacker accessed International Paper's system through a third-party vendor "and did not directly target our company or mill. This event impacted only a limited set of manufacturing systems at the Riegelwood Mill. No other mills, locations or systems were affected."

Reference: International Paper Riegelwood Mill shuts down after ‘cyberattack’
Incident: Continental Aerospace Discloses Cyberattack

Continental Aerospace is under a cyberattack according to its website. The engine manufacturer recently posted a website banner announcing that it is experiencing an ongoing cyberattack which is impacting operations at its Mobile Alabama headquarters.

The important notice posted on the 20 February reads: “Continental US operations were recently impacted by a cyber incident affecting daily operations based in Alabama. Continental is actively engaged with a team of experts who are working to resolve the issues as quickly as possible and expects to resume full operations soon.”

Continental have not elaborated when the cyberattack will end, nor how widely disruptive the event has been to its daily operation. Furthermore, the US engine OEM has not yet said if a data breach has occurred.


Reference: Continental Hacked
Victim: Continental Aerospace

based in Mobile, Alabama

Reference: Continental Aerospace under cyberattack
Incident: Emergency Services Communication System in Kansas down due to cyber incident

Riley County’s P25 public safety agency radio communication system lost connection early this morning as part of a cybersecurity incident. Emergency responders in Riley County are currently using the backup state system for emergency communications. P25 is a solution for intra-agency communication, which allows for interoperable, multi-agency communications during an emergency.

This radio network issue is affecting all first responders in Riley County, including police, fire, and emergency medical services. However, this connection problem does not impact the public or 911 systems. Dispatch operators are able to receive calls, dispatch resources, communicate with emergency responders, and activate outdoor warning sirens.

The Riley County Board of County Commissioners met made a local declaration of a disaster emergency in response to the cybersecurity incident

Reference: Riley County emergency responders using backup radios due to cybersecurity incident
Victim: Kansas, US – Riley County

Kansas, US - Riley County

Reference: Riley County Emergency Responders Using Backup Radio System
Incident: Hackers Attack Alzura, German Tire Trading Company

The online tire and parts retail giant Alzura has fallen victim to a hacker attack. According to the company, dealer accounts on Alzura Tyre24 as well as the white label solutions “Tyre Shopping” and “Alzura Shop” are among those affected by the latest hacker attack.

Reference: Hacker attack on tire trading giant Alzura
Victim: Alzura Tyre24

A large part of the B2B trade in tires takes place via the Alzura Tyre24 platform.

Incident: Cyberattack on Hearing Aid Manufacturer in Germany

The German hearing aid manufacturer Kind has been the target of a hacker attack. In addition to the headquarters near Hanover, communication with more than 600 specialist stores was also affected, said a company spokesperson. There are currently no indications that customer data has been stolen. The systems were shut down immediately and it is hoped that this has averted greater damage.

Victim: Kind, hearing aid manufacturer

German hearing aid manufacturer Kind

Reference: Cyberattack hits German hearing aid manufacturer
Reference: 600 stores affected: Hacker attack paralyzes hearing aid manufacturer Kind
Incident: Data Breach at German Mechanical Engineering Company

Graebener Bipolar Plate Technologies, a pioneer in the development of manufacturing technologies for bipolar plates reported that. between December 1st, 2023 and December 3rd, 2023, their IT systems were attacked. Parts of their databases were accessed. "All of our employees can still be reached via the usual communication channels (email and telephone). Our production processes are not affected and emergency operations have already been successfully resumed. In the coming weeks we will be strengthening some additional security measures to ensure the stability and integrity of our corporate IT.
[machine translated]

Black Basta Group has claimed responsibility for the attack.

Victim: Graebener Bipolar Plate Technologies

Graebener Bipolar Plate Technologies, a pioneer in the development of manufacturing technologies for bipolar plates

Reference: BlackBasta Ransomware Rampage Continues: NALS, Graebener, Among Latest Victims
Reference: Data protection incident at Gräbener Maschinentechnik GmbH & Co. KG
Incident: Cyberatttack at German Automotive Supplier Allgaier

There was a hacker attack on the Uhingen automotive supplier Allgaier in Uhingen. Production is not affected. The company and the insolvency administrator are not yet able to provide any further information.

Victim: Allgaier-Werke

German automotive supplier Allgaier-Werke,

Reference: Allgeier SE: Allgeier clarifies
Reference: Press Release
Reference: EQS-Adhoc: Cyber ​​attack on PSI
Incident: Ransomware Attack at German PSI Software, Critical Infrastructure Vendor

PSI Software SE, a German software developer for complex production and logistics processes, has confirmed that the cyber incident it disclosed last week is a ransomware attack that impacted its internal infrastructure. The IT systems and the extent of the impacts are currently being checked.

The company operates at a global level with a staff of more than 2,000 and specializes in software solutions for major energy suppliers.

Reference: Critical infrastructure software maker confirms ransomware attack
Victim: PSI Software SE

German Software company PSI Software provides control systems for energy control, operational management, network utilization, pipeline management and leak detection.

Incident: Cyberattack on a mechanical engineering company in Germany

Kampf GmbH reported they were the victim of a targeted and criminal cyber-attack on the morning of 24th February 2024, which partially encrypted their IT systems. "We immediately disconnected all external connections and shut down all IT systems. Currently, we are investigating the extent of the attack with the support of external cybersecurity experts and forensic specialists. We have informed all the relevant authorities and are cooperating with them in all matters."

Reference: Cyber Attack on Kampf GmbH
Victim: Kampf

Mechanical engineering company in Germany

Incident: Yakult Australia Confirmed Australian and New Zealand IT Systems Were Impacted

Iconic probiotic company Yakult Australia has been hit by a significant cyber attack that has seen its company records and sensitive employee documents, such as passports, published on the dark web.

The DragonForce group has claimed responsibility for the breach. A sample of the 95 gigabytes of data leaked, analysed by ABC Investigations, found company records dating back to 2001.

Victim: Yakult

Probiotic company Yakult Australia

Reference: Yakult Australia targeted in cyber attack, employee files published on dark web
Reference: Freight giant Estes confirms data breach, but says it won’t pay ransom
Incident: Massive Ransomware Attack at Tigo, Paraguay’s Largest Telco

A ransomware attack has wreaked havoc inside the network of Tigo, the largest mobile operator and internet service provider in Paraguay. The incident took place on January 4, and impacted the telco's business branch.

Reports stated that over 330 servers were encrypted, and backups were compromised during the attack. At least 300 companies and some government organizations were impacted downstream. The companies lost phone service and files hosted on Tigo servers.

The Tigo attack has been attributed by local media to a ransomware group named BlackHunt.

Victim: Tigo

Tigo is the largest mobile carrier in Paraguay, with its Tigo Business division offering digital solutions to the enterprise, including cybersecurity consulting, cloud and data center hosting, and wide area network (WAN) solutions.

Reference: Paraguay warns of Black Hunt ransomware attacks after Tigo Business breach
Reference: Ransomware wrecks Paraguay’s largest telco
Reference: Australia sanctions Russian national accused of hacking in Medibank data leak
Incident: Black Basta Group Claims Ransomware Attack at UK Water Treatment Company

Southern Water, a water treatment company serving millions across the United Kingdom, was the victim of a ransomware attack claimed by the Black Basta ransomware gang.

"At this point there is no evidence that our customer relationships or financial systems have been affected. Our services are not impacted and are operating normally," Southern Water said today. It's unclear where the root cause of the breach lies. Some documents leaked online are branded with Greensands logos – the parent company of Southern Water.

Black Basta said it stole 750 GB worth of data in total, comprised of personal data and corporate documents, which is consistent with the small sample leaked online.

Reference: UK water giant admits attackers broke into system as gang holds it to ransom
Victim: Southern Water

Southern Water, a water treatment company serving millions across the United Kingdom

Reference: Cyber investigation
Incident: Veolia Municipal Water Division Systems Impacted by Ransomware Attack

Veolia North America’s Municipal Water division reported a ransomware attack. After detecting the attack, Veolia has implemented defensive measures, temporarily taking some systems offline to contain the breach. Veolia is now working with law enforcement and third-party forensics experts to assess the extent of the attack's impact on its operations and systems.

Victim: Veolia group

Veolia North America provides water and wastewater services to roughly 550 communities and industrial water solutions at around 100 industrial facilities, treating over 2.2 billion gallons of water and wastewater daily at 416 facilities across the United States and Canada.

The transnational Veolia group has almost 213,000 employees globally and generated €42.9 billion in revenue in 2022, providing drinking water to around 111 million people and wastewater services to roughly 97 million. The same year, Veolia produced nearly 44 terawatt-hours of energy and treated 61 million metric tons of waste.

Reference: Water services giant Veolia North America hit by ransomware attack
Reference: Veolia North America and Southern Water hit by ransomware attacks, data breach concerns arise
Reference: Veolia Responds to Cyber Incident
Incident: Aviation Leasing Company Aercap Reports Ransomware Attack

AerCap, a global company that leases aircraft, engines and helicopters, reported this week that it was responding to a ransomware attack. In a filing on Monday with the U.S. Securities and Exchange Commission, the Ireland-based company said the impact of the January 17 incident was limited. “We have full control of all of our IT systems and to date, we have suffered no financial loss related to this incident,” AerCap said.

Victim: Aercap

Aviation leasing company AerCap has more than $72 billion in aviation assets on hand, including 1,700 aircraft, approximately 1,000 engines and over 300 helicopters.

Reference: Aviation leasing company AerCap investigates ransomware incident
Incident: Ransomware Attack at Iowa Water & Electric Utility Company

Iowa Electric, Water Utility confirmed that a January ransomware attack at Muscatine Power and Water — providing the Muscatine and Fruitland area with internet, TV, phone, water, and electric services for more than 50,000 people —led to the exposure of sensitive information from nearly all local residents.

The company said internet services on the night of the attack were down for eight hours and business systems were restored over several days. “Additionally, at no time were critical controls systems at the power plant or in the field at risk,” the company explained.

Victim: Muscatine Power and Water

Iowa electric water utility

Reference: Iowa electric, water utility says info of nearly 37,000 leaked in January ransomware attack
Incident: Global Pharmaceutical Co. Cencora Reports Discovery of Data Breach

Global pharmaceutical corporation Cencora discovered that intruders had stolen data from its networks. The company said in a regulatory filing that data from IT systems “had been exfiltrated” in an incident that came to light on February 21.

The event “has not had a material impact on the Company’s operations,” Cencora said. The regulatory filing did not specify the nature of the intrusion.

Victim: Cencora

Global pharmaceutical corporation Cencora (formerly known as AmerisourceBergen) is a Pennsylvania-based corporation with 46,000 employees and reported revenue of $262.2 billion for fiscal 2023.

Reference: Pharmaceutical giant Cencora reports cyberattack
Incident: Crinetics Pharmaceuticals Investigating Cyberattack

Crinetics , a San Diego pharmaceutical development company, said it is investigating a cybersecurity incident following claims from the LockBit ransomware gang that data was stolen.

The Lockbit gang demanded a $4 million ransom and set a deadline for Mar. 23. Crinetics did not respond to questions about whether they were dealing with a ransomware attack.

Reference: Pharmaceutical development company investigating cyberattack after LockBit posting
Victim: Crinetics

Crinetics , a San Diego pharmaceutical development company

Incident: Ransomware Attack at Bira 91, Indian Craft Beer brand.

On March 22, Indian craft beer brand Bira 91 was attacked by ransomware group BianLian.
Despite absence of an official statement from the company, reports indicate potential data exposure encompassing sensitive information concerning finance, human resources and proprietary recipes.

The absence of stringent disclosure laws in India, particularly in non-regulated industries such as manufacturing and healthcare, leaves customers vulnerable to data breaches without adequate notification or recourse.

Victim: Bira 91

Indian craft beer brand

Reference: Story of Ransomware Attacks on Indian Listed Companies
Incident: Ransomware Attack at India’s largest Wire and Cable Maker.

On March 17, Polycab India was targeted by LockBit ransomware group. According to Polycab, the incident did not impact the core systems and operations of India’s largest wire and cable maker. There was no mention of any ransom paid in the filing.

Victim: Polycab India

Polycab is India’s largest wire and cable maker.

Reference: Polycab, Motilal Oswal, Bira91 among latest companies to be hit by ransomware attacks
Victim: Carolina Foods

Carolina Foods, creator of the baked goods Duchess brand, a family owned business for 80 years. Duchess is a pastry manufacturer and their products include a variety of individually wrapped items including honey buns, baked pies, fried pies, and gem donuts.

Reference: Bittersweet: Charlotte honey bun maker hit with ransomware attack
Reference: North Carolina Honey Bun Maker Hit With Ransomware Attack
Incident: Fujitsu Caught in Cyberattack

Japanese multinational information and communications technology giant, Fujitsu Limited suffered a cyberattack. The company reported the incident March 15 when officials said they found malware on multiple computers within the organization.

“We confirmed the presence of malware on multiple work computers at our company, and as a result of an internal investigation, we discovered that files containing personal information and customer information could be illegally taken out,” the company said in a statement. Fujitsu is the world’s sixth largest IT services provider, with 124,000 employees and had revenues of $23.9 billion.

Reference: Fujitsu Suffers Cyberattack
Victim: Fujitsu

Fujitsu is the world’s sixth largest IT services provider, with 124,000 employees and had revenues of $23.9 billion.

Incident: FL Boat Builder, MarineMax, Hit in Cyberattack

One of the world’s largest recreational boat, yacht, and superyacht builders discovered they suffered a cyberattack earlier this week, but the company’s operations remained up and running.
Clearwater, Florida-based MarineMax Inc. discovered the attack March 10, 2024, saying a third party gained unauthorized access to portions of its information environment and filed an 8-K document with the Securities and Exchange Commission (SEC).
“MarineMax, Inc. determined on March 10, 2024, that it experienced a ‘cybersecurity incident,’ as defined in applicable Securities and Exchange Commission rules, whereby a third party gained unauthorized access to portions of its information environment,” the company said in the filing.

Reference: Boat Dealer MarineMax Hit by Cyberattack
Reference: MarineMax Boat Builder Hit In Cyberattack
Victim: MarineMax

One of the world’s largest recreational boat, yacht, and superyacht builders. MarineMax has over 130 locations worldwide, including about 80 retail dealership locations, some of which include marinas.

Incident: Switserland: Federal Passwords and Classified Information Stolen

On May 23, the Play ransomware group claimed it attacked Xplain – a Swiss IT firm providing services to several federal agencies in the country. The ransomware group leaked the files it stole from the company on June 1, which it claimed included 907 GB of financial and other data.

In March, 2024 SWI news reports that federal passwords and classified information were stolen in the >2023 cyberattack

Victim: Xplain

Xplain – a Swiss IT firm providing services to several federal agencies in the country

Reference: Swiss Administration Hit By Cyber Attack
Reference: Cybercrime News Government News News Get more insights with the Recorded Future Intelligence Cloud. Learn more. Switzerland warns that a ransomware gang may have accessed government data
Reference: Federal passwords and classified information stolen in 2023 cyberattack
Incident: Biggest Data Breach to-date in France Affects 50% of the Population

Two French service providers for medical insurance companies were targeted by a cyberattack. The hack has been determined to impact over 33 million people in the country. The "tiers payant," a payment system in which the patient doesn't have to pay the full cost of medical services upfront, may be unavailable for certain health professionals but still available for the patients.

While the exposed data does not include financial info, it is still enough to raise the risk of phishing scams, social engineering, identity theft, and insurance fraud for the exposed individuals.

Victim: Almerys

Almerys provide healthcare and insurance services in France with technological and administrative solutions to facilitate transactions

Victim: Viamedis

Viamedis provide healthcare and insurance services in France with technological and administrative solutions to facilitate transactions.

Reference: Data breaches at Viamedis and Almerys impact 33 million in France
Reference: Data of half the population of France stolen in its largest ever cyberattack. This is what we know
Incident: Belgian Duvel Brewery Halts Production after Ransomware Attack.

Duvel Moortgat Brewery is currently experiencing problems as a result of a cyber attack. The brewery confirms this. Production has been at least partially halted, this concerns all servers of the brewery, including those of their other Belgian beers such as De Koninck and La Chouffe.

A forensic investigation is underway into who might be behind the hacking.

Victim: Duvel Brewery

Duvel is a Belgian beer brand best known for its strong and fruity golden pale ale bearing the same name. The brewery also makes other popular abbey beers such as Vedett, Maredsous, and La Chouffe.

Reference: Duvel says it has ‘more than enough’ beer after ransomware attack
Reference: Duvel Moortgat Brewery victim of cyber attack: production and business shut down
Incident: Taiwan Semiconductor Manufacturer Hit by Lockbit Ransomware Gang

One of Taiwan's biggest semiconductor manufacturers has fallen victim to a cyberattack, supposedly carried out by the notorious LockBit ransomware gang. The hackers posted a threatening message on Foxsemicon’s website, stating that they had stolen its customers' personal data and would publish it on their darknet website if the company refused to pay. The company’s website, however, could not be accessed as of Wednesday afternoon Eastern U.S. time, while Google search results still display the hackers’ message

The tactic used in the attack on Foxsemicon is atypical for LockBit: Usually, they post the names of the victims on their extortion website rather than deface the company’s web page.

Reference: Foxsemicon Hit by LockBit Ransomware
Victim: Foxsemicon (FITI)

Foxsemicon Integrated Technology, Inc. (FITI) engages in the research, development, manufacture, and sale of semiconductor equipment and components

Reference: Steel Giant Hit In Cyberattack
Reference: Taiwanese semiconductor company hit by ransomware attack
Victim: Simpson Manufacturing Company

Simpson Manufacturing Company is an engineering firm and building materials producer in the United States that produces structural connectors, anchors, and products for new construction and retrofitting.

Incident: Schneider Electric Sustainability Business Hit by Cactus Ransomware Gang

Schneider Electric confirmed a ransomware attack that affected its Sustainability Business division. The attack disrupted some of Schneider Electric's EcoStruxure Resource Advisor cloud platform. The Cactus ransomware gang claims they stole 1.5TB of data. 25MB of allegedly stolen were also leaked on the operation's dark web leak site today as proof of the threat actor's claims. It is not known if Schneider Electric will be paying a ransom demand.

At a recent PASA Connect roundtable event, three of the 13 Chief Product Officers in attendance confirmed minor issues related to the incident.

Threat Actor: Cactus ransomware gang

The Cactus ransomware operation launched in March 2023 and has since amassed numerous companies that they claim were breached in cyberattacks.

Like all ransomware operations, they breach corporate networks through purchased credentials, partnerships with malware distributors, phishing attacks, or by exploiting vulnerabilities.

Reference: Supply chain disruption caused by Schneider Electric ransomware attack
Reference: Cactus ransomware claim to steal 1.5TB of Schneider Electric data
Reference: Schneider Business Unit Hit In Ransomware Attack
Reference: Schneider Electric, in ransomware recovery, faces claims of stolen data trove
Reference: Thyssenkrupp Auto Unit Hit by Cyberattack
Reference: Zurich Policyholder Dispute Highlights Danger of Calling Out Cyber Attackers: Opinion
Incident: Akira Group Attacks Finnish Tietoevry Causing Disruption Across Swedish Businesses

Finnish IT services and enterprise cloud hosting provider Tietoevry has suffered an Akira ransomware attack impacting cloud hosting customers in one of its data centers in Sweden. The attack encrypted the company's virtualization and management servers used to host the websites or applications for a wide range of businesses in Sweden.

Companies impacted by the attack: Sweden's largest cinema chain, Filmstaden, discount retail chain Rusta, raw building materials provider Moelven, farming supplier Grangnården, Tietoevry's managed Payroll and HR system, Primula (used by the government, universities, and colleges in Sweden), numerous government agencies and municipalities.

Victim: Tietoevry

Tietoevry is a Finnish IT services company offering managed services and cloud hosting for the enterprise. The company employs approximately 24,000 people worldwide and had a 2023 revenue of $3.1 billion.

Reference: Tietoevry ransomware attack causes outages for Swedish firms, cities
Incident: Natanz and Fordo Facilities closed down “Automation Network” after New Worm Targeted Iran’s Nuclear Program

Two of Iran’s uranium-enrichment plants were struck by a cyberattack earlier this week that shut down computers and blared AC/DC songs, according to reports from Bloomberg News and others. The virus closed down the automation network at the Natanz and Fordow facilities, according to an e-mail received by F-Secure, a Finnish cybersecurity Web site, from Iran’s Atomic Energy Organization.

F-Secure Security Labs said that while it was unable to verify the details of the attack described, it had confirmed that the scientist who reported them was sending and receiving the e-mails from within Iran’s Atomic Energy Organization.

Victim: Fordow Fuel Enrichment Plant

Fordow Fuel Enrichment Plant is an Iranian underground uranium enrichment facility located 20 miles northeast of the Iranian city of Qom, near Fordow village, at a former Islamic Revolutionary Guard Corps base. The site is under the control of the Atomic Energy Organization of Iran.

Reference: Iran Nuclear Plants Hit By Virus Playing AC/DC
Reference: Iranian nuclear facilities are hit by AC/DC virus
Incident: Cyberattack Causes Widespread Disruptions at Pharmacies Across the United States

Ransomware attack impacts more than 100 Change Healthcare services, including benefits verification, claims submission, and prior authorization. As soon as the breach was detected, Change Healthcare took the drastic step of disconnecting its systems to prevent further damage. Retail pharmacies, some now forced to revert to manual processing, face delays, sparking concerns among patients relying on timely medication.

The AHA (American Hospital Association) has advised health systems to disconnect from Change Healthcare and Optum services. This breach, reportedly due to hackers exploiting vulnerabilities in the ConnectWise ScreenConnect remote IT platform and using LockBit malware, underscores the vulnerability of consolidated healthcare data systems.

Victim: UnitedHealth Group Inc.

UnitedHealth Group Incorporated is an American multinational health insurance and services company based in Minnetonka, Minnesota

Reference: The Change Healthcare cyberattack is still impacting pharmacies. It’s a bigger deal than you think
Victim: Change Healthcare

Change Healthcare is a provider of revenue and payment cycle management that connects payers, providers, and patients within the U.S. healthcare system.

Reference: US pharmacy outage triggered by ‘Blackcat’ ransomware at UnitedHealth unit, sources say
Reference: Exclusive: US pharmacy outage triggered by ransomware at unit of UnitedHealth, sources say
Reference: Cyber Siege: The Attack on Change Healthcare Echoes the Colonial Pipeline Crisis, Shaking the U.S. Healthcare Sector
Incident: Trans-Northern Pipelines (TNPI) Says Able to Contain Ransomware Attack

Trans-Northern Pipelines (TNPI) has confirmed its internal network was breached in November 2023 and that it's now investigating claims of data theft made by the ALPHV/BlackCat ransomware gang.

"Trans-Northern Pipelines Inc. experienced a cybersecurity incident in November 2023 impacting a limited number of internal computer systems," TNPI Communications Team Lead Lisa Dornan told BleepingComputer. "We have worked with third-party, cybersecurity experts and the incident was quickly contained. We continue to safely operate our pipeline systems.

Victim: Trans-Northern Pipelines (TNPI)

TNPI operates 850 kilometers (528 miles) of pipeline in Ontario-Quebec and 320 kilometers (198 miles) in Alberta, transporting 221,300 barrels (35.200m3) of refined petroleum products daily.

Reference: Trans-Northern Pipelines investigating ALPHV ransomware attack claims
Reference: Canadian Oil Pipeline Hit With Ransomware
Incident: Hackers Breach Systems at Steel giant ThyssenKrupp

Steel giant ThyssenKrupp confirms that hackers breached systems in its Automotive division, forcing them to shut down IT systems as part of its response and containment effort. “The threat situation is under control, and we are working on a gradual return to normal operations,” a spokeswoman for the company said. While the shutdown halted production, she said, the company was still able to supply customers.

ThyssenKrupp has clarified that no other business units or segments have been impacted by the cyberattack, which was contained in the automotive division. They are working on gradually returning to normal operations.

Reference: Hacker attack on Thyssenkrupp – factory with 1,000 employees in Saarland affected
Reference: Steel giant ThyssenKrupp confirms cyberattack on automotive division
Reference: Flame And SCADA Security
Reference: Iranian oil terminal ‘offline’ after ‘malware attack’
Reference: Attacks on Iranian oil industry led to Flame malware find

WIZARD SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER. This actor is a Russia-based criminal group known for the operation of the TrickBot banking malware that had focused primarily on wire fraud in the past.

Reference: Timeline: Israeli Attacks on Iran
Incident: Virun Infection in turbo Control System at US Electric Utility

In early October 2012 a power company contacte ICS-CERT to report a virus infection in a turbine control system which impacted approximately ten computers on its control system network. 10 plant PCs were infected by Mariposa malware variant, transmitted through a USB stick. Occurred during scheduled shutdown for maintenance.

Reference: ICS CERT Monitor – December 2012
Reference: German Steel Mill Attack: Inside Job
Incident: Attack on Kyiv Power Substation Shut Down Remote Terminals

The attack on the Pivnichna transmission facility shut down the remote terminal units that control circuit breakers. Oleksii Yasynskyi, head of research for Information Systems Security Partners in Ukraine, said the attackers belonged to several different groups that worked together. Among other things, they gathered passwords for targeted servers and workstations and created custom malware for their targets. Sandworm suspected in deploying Industroyer (also: CrashOverride) malware, by exploiting a vulnerability in Siemens SIPROTEC relays.

The hack was less severe than the one used in the 2015 attack, which rendered the devices inoperable and prevented engineers from remotely restoring power.

Victim: Pivnichna Power Transmission Facility

Pivnichna transmission facility, Kyiv, Ukraine

Reference: Hackers trigger yet another power outage in Ukraine
Reference: Found: “Crash Override” malware that triggered Ukrainian power outage
Incident: Wannacry Affects Operations at Several Renault Plants

Global cyberattack caused widespread disruption including stoppages at several of Renault-Nissan sites. Renault and its Japanese partner are the only major car manufacturers so far to have reported production problems resulting from Friday's WannaCry ransomware worm attack that spread to more than 150 countries.

The cyber attack halted or reduced the output of at least five Renault sites over the weekend. Besides Douai, they included a van plant in Sandouville, France; a small-car plant in Slovenia; the no-frills Dacia plant in Pitesti, Romania; and a factory shared with Nissan in Chennai, India.

Victim: Renault-Nissan


Reference: Renault-Nissan is resuming production after a global cyberattack caused stoppages at 5 plants
Reference: Throwback Attack: WannaCry ransomware takes Renault-Nissan plants offline
Incident: Petya Ransomware Attack Affects Operations at Terminal of India’s Largest Container Port JNPT

Operations at one of the three terminals of India's largest container port JNPT (Jawaharlal Nehru Port Trust) were impacted on Tuesday night as a fallout of the global ransomware attack, which crippled some central banks and many large corporations in Europe. AP Moller-Maersk, one of the affected entities globally, operates the Gateway Terminals India (GTI) at JNPT, which has a capacity to handle 1.8 million standard container units.

Reference: Maersk Ransomware Attack
Reference: India’s largest container port JNPT hit by ransomware
Reference: TRITON Malware Used in Attacks Against Industrial Safety Equipment
Reference: Russia Behind Triton Attack: Report
Reference: TUG: Safety System Attack ‘Slow Burn’
Victim: Rabigh Refining & Petrochemical Company

Rabigh Refining & Petrochemical Company is a Saudi Arabia–based company which produces and markets refined hydrocarbon and petrochemicals. It was founded in 2005 as a joint venture between Saudi Aramco and Japan’s Sumitomo Chemical. The company was a joint venture between and which is now publicly held

Reference: AW North Carolina Hit in Ransomware Attack
Incident: Ransomware Attack at AW North Carolina Shuts down Operations for 4 Hours

The attack against AWNC started on Aug. 16, 2017, when the company’s information technology (IT) systems were infiltrated by a newer strain of ransomware. This malicious software encrypted the company’s critical data and demanded a ransom to restore access to the affected files. It ultimately shut down production lines for four hours at the 2,200-worker plant. The disruption affected not only AWNC, but also its customers as delays in the delivery of transmission components led to a ripple effect throughout the automotive supply chain.

Reference: Take down: Hackers looking to shut down factories for pay
Reference: Throwback Attack: AW North Carolina attack shows dangers of ransomware and just-in-time manufacturing
Incident: TSMC Hit by WannaCry Variant

The cyber attack on iPhone supplier TSMC was apparently caused by a WannaCry variant, the company has revealed. The severity of the attack caused the company to shut down some of its factories while the issue was fixed, which meant some plants were out of action for days. Although the problem has mostly been rectified now, it says it's still expecting shipments to be delayed for some time.

The virus was injected into TSMC's systems when a supplier reportedly installed infected software onto some of its machines, without running an antivirus scan. The infection then spread to other locations within the company's network in Tainan, Hsinchu and Taichung, which caused the majority of its facilities to close down temporarily.

The attack may have cost the iPhone component manufacturer up to 3% of revenues and could cost Apple over $255M

Reference: TSMC cyber attack was apparently caused by WannaCry
Incident: US Natural Gas Compression Facility Shut Down Entire Pipeline for 2 Days

Attackers used spear phishing to gain initial access to the IT network, then pivoted into the OT network due to poor segmentation. Then, they planted ransomware.

The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations. Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations.

Victim: Unidentified Natural Gas Facility

Unidentified Natural Gas Facility

Reference: Ransomware Impacting Pipeline Operations
Reference: Operations at U.S. Natural Gas Facilities Disrupted by Ransomware Attack
Incident: Malware Attack Disrupts Multiple Sites of Rheinmetal AG Causing Shares to Drop

German arms and car parts maker Rheinmetall said it had been hit by a malware attack affecting production at some sites in the United States, Mexico and Brazil, sending shares down in early trade on Friday. "Normal production processes at these locations are currently experiencing significant disruption," Rheinmetall said in a statement late on Thursday.
Rheinmetall shares, which have risen around 50% since the start of this year, were indicated to open 2.9% lower in early Frankfurt trade on Friday.

Reference: Shares in Rheinmetall drop after company discloses malware attack
Reference: Oddly specific ‘cyber attack’ hits Alaskan airline RavnAir and one plane type
Reference: oll Group shuts down IT systems in response to ‘cybersecurity incident’
Reference: Deliveries stranded across Australia as Toll confirms ransomware attack
Reference: Toyota to suspend packaging line after cyberattack on Japan port
Reference: Nagoya Port cyberattack may become security wake-up call
Incident: KHS Bicycle Shipments Delayed for 2 Days after Cyberattack

KHS Bicycles suffered an IT system hack over the weekend. KHS' vice president, Wayne D. Gray, told BRAIN Tuesday afternoon; "Our B2B site is back up and we are shipping from California today," and that the company would resume shipping from its Kentucky distribution center on Wednesday.

The company was unable to accept or ship dealer orders Monday and early Tuesday. The company was able to restore its email systems Tuesday and is working with security specialists to restore other systems as soon as possible.

Victim: KHS Bicycles

California-based distributor KHS Bicycles

Reference: KHS Bicycles resumes some shipments after system hack
Reference: Cyber attack shuts down Evraz IT systems across North America,
Incident: Large Amount of Data Leaked after at New Zealand Manufacturer Refused to Pay

Fisher & Paykel Appliances has confirmed it has fallen victim to a damaging ransomware attack. The Auckland-based whiteware manufacturer, which is owned by China's Haier, was targeted by a malware program called Nefilim. They refused to pay and they suffered a large data leak.

Victim: Fisher & Paykel Appliances

Fisher & Paykel Appliances manufacturer in New Zealand

Reference: Fisher & Paykel Appliances a victim of ransomware scourge
Incident: X-FAB Group Targeted by Cyberattack

X-FAB Group was the target of a cyber security attack. Following the advice of leading security experts engaged by X-FAB, all IT systems have been immediately halted. As an additional preventive measure, production at all six manufacturing sites has been stopped. At this stage it cannot be estimated for how long and to which degree X-FAB's operations will be disrupted. It is also too early to assess if there will be any financial impact stated company press release.

Victim: X-FAB

X-FAB manufactures slicon wafers for automotive, industrial, consumer, medical and other applications.

Reference: X-FAB Affected by Cyber Attack
Incident: Cyberattack at Israeli Tower Semiconductor Manufacturer

Cyberattack at Tower Semiconductor forced certain operations to a complete halt. Company authorities said that specific measures were taken to prevent the spread of the cyberattack, however, there was no immediate factual assessment report available that would state the real effect of the damages done.

Victim: Tower Semiconductor

Tower Semiconductor mainly manufactures integrated circuits (ICs) and provides a host of technology solutions for growing markets such as consumer, industrial, automotive, mobile, infrastructure, medical, aerospace, and defense.

It has operations spread across three different locations around the globe – two in Israel (Migdal Haemek); two in the U.S. (Newport Beach, California and San Antonio, Texas); and at three in Japan where it has partnered with Panasonic Semiconductor Solutions Co. Ltd.


Reference: Israel’s Tower Semiconductor Hit by a Cyberattack
Reference: Australian Steel Maker BlueScope Hit by Cyberattack
Reference: BlueScope Steel hit by cyber attack causing worldwide system shutdown of operations
Incident: Montreal’s Transit Service Hit by RansomExx Ransomware

Montreal's transit service was hit by RansomExx ransomware, and they refused to pay the $2.8 mil demanded. The Société de transport de Montréal (STM) says the attack targeted 1,000 of its 1,600 servers.

624 operationally sensitive servers were affected by the attack — but more than three-quarters of them are back within a week, except the website was still down.

The agency said the attack did not affect bus or Metro service, and that employees were able to receive their pay "almost normally." The attack did, however, stop the STM from providing adapted transit for nearly a week. That was reestablished on Sunday, a week after the attack. .

Victim: Société de transport de Montréal (STM)

Société de transport de Montréal (STM) - transit agency

Reference: The STM completes cyber attack investigation
Reference: STM says it refused hackers’ $2.8M demand in ransomware attack
Incident: Canadian Stelco Temporarily Suspended Operations

Stelco – one of Canada’s oldest and largest steelmakers – has issued a statement revealing that it was the target of a “criminal attack” on its information systems. When the cyberattack first hit, Stelco said that certain operations, which included steel production, were temporarily suspended as a precaution.

Victim: Stelco

Stelco – one of Canada’s oldest and largest steelmakers.

Reference: Stelco reveals information systems were subjected to a “criminal attack”
Incident: German Flavor Manufacturer Symrise Preventively Shut Down Operations

Flavor and fragrance developer Symrise has suffered a Clop ransomware attack where the attackers allegedly stole 500 GB of unencrypted files and encrypted close to 1,000 devices.

The cyberattack forced shut down of systems to prevent the spread of the attack.

Victim: Symrise

Symrise is a major developer of flavors and fragrances used in over 30,000 products worldwide, including those from Nestle, Coca-Cola, and Unilever. Symrise generated €3.4 billion in revenue for 2019 and employs over 10,000 people.

Reference: Hackers paralyze Symrise – why the case is particularly serious
Reference: Flavors designer Symrise halts production after Clop ransomware attack
Incident: Ransomware Attack at Forward Air

Ransomware Attack at Forward Air claimed by Hades ransomware gang impacted data exchange with customers, leading to delivery delays which impacted financial results. The company shutdown operations and delayed shipments for a week.

Threat Actor: The Hades ransomware gang

The Hades ransomware gang began operating in 2020. When encrypting a victim, it will create a ransom note named 'HOW-TO-DECRYPT-[extension].txt' that resembles notes used by the REvil ransomware group.

Victim: Forward Air

Trucking company Forward Air

Reference: News Alert: Forward Air’s systems coming back online
Reference: Trucking company Forward Air said its ransomware incident cost it $7.5 million
Reference: Forward Air reveals ransomware attack, warns of revenue hit
Reference: Palfinger attack highlights escalation in cyber crimes
Incident: JBI Bicycle Retailer Halts Shipments due to Cyberattack

Global wholesale distributor JBI back online 1 week after a ransomware attack shut down its website.

A spokesperson said on Wednesday afternoon that JBI was taking orders again in limited but shipping delays might occur because of backlogged orders. JBI has 11 warehouses and not all of them have resumed full operations. The Miami warehouse is among those operating again.JBI said then that none of its customers' business information was affected.

Victim:, a family-owned, Florida based bike and parts distributor with a bicycle division.

Reference: JBI back online in limited capacity after ransomware attack
Incident: Swiss Drug Manufacturer Siegfried Shuts Down Production after Cyberattack

The Siegfried Group suFfered a cyber attack shortly before Pentecost. THe Swiss company shut down production at multiple sites, cut off network connections, and scoured its information technology systems. Among other things, Siegfried packages the Pfizer-BioNTech COVID-19 vaccine.

As a result of the attack, there will be certain volume and revenue shortfalls in the first half of the year. Based on the results of the forensic investigations, which are well advanced, the Siegfried Group continues to assume that no sensitive customer data were affected by the incident.

Victim: The Siegfried Group

The Siegfried Group is a global life sciences company with sites in Switzerland, Germany, Spain, France, Malta, the USA and China. In 2020, the Siegfried group achieved sales of CHF 845.1 million and currently employs approximately 3’500 people at eleven sites on three continents.

Siegfried is active in manufacturing pharmaceutical APIs (and their intermediates) as well as drug products (tablets, capsules, sterile vials, ampoules, cartridges and ointments) for the pharmaceutical industry and provides development services.

Reference: Siegfried restarts production after cyber attack
Reference: Siegfried, Brenntag, and Symrise hit by cyberattacks
Reference: Schreiber Foods hit with cyberattack; plants closed
Reference: Costa Rica: Costa Rica Customs Delays Affect Imports
Reference: Foxconn: Mexico factory operations ‘gradually returning to normal’ after ransomware attack
Victim: Hipp

German baby food manufacturer Hipp

Incident: German Battery Maker, VARTA Group, Hit in Cyberattack

Ellwangen, Germany-based VARTA Group suffered a cyber attack Monday that shut down its production plants and its administrative areas, company officials said in an advisory released Tuesday.
“Last night, February 12th 2024, the VARTA Group was the target of a cyberattack on parts of its IT systems,” the company said in an advisory.
“This affects the five production plants and the administration. The IT systems and thus also production were proactively shut down temporarily for security reasons and disconnected from the Internet. The IT systems and the extent of the impact are currently being reviewed. The utmost care is being taken to ensure data integrity,” the company said.

Reference: German Battery Maker Shut By Cyberattack
Victim: VARTA Group

VARTA manufactures batteries for global automotive, industrial, and consumer markets and Energizer Holdings owns a piece of the company. The company traces its roots back to 1887. VARTA’s annual revenue exceeds $875 million.

Incident: City of Mayen, Germany, Reports Street Light Outage Due to Cyberattack on Control Partner

Due to a cyber attack on the city of Mayen's control partner, there may be irregularities in the switch-on and switch-off times of the street lighting in the coming days. The partner is working hard on a solution.

Victim: Unidentified


Reference: Street lighting failures in Mayen’s city center and the districts
Reference: Sellafield site compromised by foreign hackers and leaks covered up – investigation
Reference: Sellafield: Minister wants answers on alleged cyber hack
Reference: Britain says no evidence of Sellafield nuclear site hacking
Reference: Sellafield boss hits back at safety failure claims
Victim: Sellafield

Sellafield Nuclear facility is mainly used for the treatment and storage of nuclear waste. It employs 11,000 people - many of whom are engaged in maintaining or decommissioning redundant buildings and equipment.

Home to the UK's civil plutonium stockpile, with 140 tonnes of the material stored there. Security is extremely tight.

Reference: Sellafield nuclear site hacked by groups linked to Russia and China
Incident: Cyberattack at Private Company Providing Services to Canadian Military Personnel Exposes PII

A private company that assists members of the Canadian military and foreign service when they move across the country or around the world was hacked. The breach involves the personal information of Canadian government employees held by Brookfield Global Relocation Services (BGRS), whose company website has been offline since Sept. 29.

Victim: Brookfield Global Relocation Services (BGRS)

Brookfield Global Relocation Services (BGRS) is a private company that assists members of the Canadian military and foreign service when they move across the country or around the world.

Reference: Company that arranges military moves has been hacked, defense department confirms
Incident: Estonian National Rail Company Experiences Largest Operational Disruption To-date

September 20 cyber incident on Elron, Estonia's national train company, orchestrated by a pro-Russia hacker group, inflicted substantial disruptions. Targeting Ridango-managed systems, a Distributed Denial of Service (DDoS) attack paralyzed ticketing services, impacting online platforms and physical stations.

The cyberattack that began on Wednesday had a major impact on Elron ticket sales. The company has never experienced a system outage of this scale before.
By Thursday noon, the situation had returned to normal.

Reference: RIA on Elron cyberattack: It is likely that it will happen again
Reference: Elron ticket service back online after DDoS attacks from Russia supporters
Victim: Elron

Elron, Estonia's national train company

Reference: Cyber attack brought Elron ticketing system down Wednesday
Incident: Ransomware Attack at Unidentified Bavarian Wood Processing Manufacturer

A wood processing company in Deggendorf, Germany, encountered a ransomware attack. Unknown perpetrators managed to encrypt several of the company's servers by installing malware. This meant that working in emergency mode was only possible for a short period of time. Since the company did not contact the perpetrators, no demands for money have been reported so far. A swift law enforcement response and deployment of backups facilitated system recovery.

Reference: Hacker attack on company in Deggendorf district: malware installed [machine translated]
Reference: Lower Bavaria: Digital attack on company [machine translated]
Incident: Ransomware attack at Unidentified Bavarian Manufacturer

Deployment of a quick reaction team from the Deggendorf Police Department was necessary because a company in the digital manufacturing sector fell victim to a cyber attack.

Ransomware (malicious software) had been installed on one of the company computers. A possible decryption was promised after a ransom was paid in the form of Bitcoins. No contact was made. The affected company was able to rely on existing data backups. The company suffered no financial damage. It is unknown if there were any operational consequences as further details were not disclosed.

Victim: Undisclosed – manufacturing sector

Undisclosed - manufacturing sector

Reference: Lower Bavaria: Malware installed on company computers – deployment of a quick reaction team
Incident: NoName DDoS Attacks on Port Authorities Throughout Canada

NoName is targeting key port authorities throughout Canada: the Port of Nanaimo, Port de Saguenay, Trois-Rivières Port Authority, and the Port of Belledune.Port of Nanaimo, Port de Saguenay, Trois-Rivières Port Authority, and the Port of Belledune. The incident has raised serious concerns about the potential impact on operations and security of sensitive information as all are essential gateways to Canadian transportation and shipping routes.

In April 2023, the Port of Halifax in Nova Scotia and the Ports of Montreal and Québec were targeted by a ‘denial-of-service attack’ that flooded their websites with traffic, causing them to crash.

Victim: Port of Nanaimo

Port of Nanaimo, located on Vancouver Island in British Columbia, is a vital Canadian regional transportation hub.

Victim: Port of Belledune

an essential gateway for international trade in New Brunswick Canada

Victim: Trois-Rivières Port Authority

Trois-Rivières Port Authority in Canada is an important port facility connecting the Saint Lawrence River to major shipping routes.

Victim: Port de Saguenay

Port de Saguenay in Quebec is crucial in facilitating Canadian international trade and transportation.

Reference: NoName Targets Canada, Port Authorities Under Cyber Attack
Incident: Ransomware Attack at Billstein, German Car Parts Manufacturing, Group.

The BianLian ransomware gang has added the Bilstein Group to its list of victims. At the end of April, 60 GB of internal company data appeared on the dark web, as can be seen on the monitoring site . This includes human resources, accounting and financial data. The auto parts specialist confirmed to CSO that there had been a recent cyber attack. “However, this was quickly discovered by our systems and IT specialists, so the impact was marginal,” explained a spokesman. The company did not want to release any further information about the case. It is not known whether there was a blackmail letter demanding a ransom.

Victim: Billstein Group

Billstein Group is a supplier and manufacturer of car and commercial vehicle replacement parts.

Reference: German car spare parts specialist Bilstein hacked
Reference: Data from Lux Automation on the Darknet
Victim: Lux Automation

Safety technology for machines and plants

Incident: Ransomware Attack at Pierce Transit System

A ransomware "incident" hit Pierce Transit. A Pierce Transit spokesperson stated the agency "experienced a ransomware incident that temporarily disrupted some agency systems. Upon discovering the incident, our team immediately took action to contain and isolate the threat. Third party forensic experts were engaged to conduct a thorough investigation into the nature and scope of the incident, and law enforcement has been notified.” They claim that transit operations and rider safety were not impacted because of the incident.
The Pierce Transit spokesperson went on to say that an "unauthorized actor" has claimed responsibility and that the investigation into the disruption is ongoing.

Reference: Pierce County agencies investigating potential ransomware attacks
Incident: Cyberattack at Canadian Engineering Giant Contracted for Government Military, Power and Transportation Projects.

A Canadian engineering giant whose work involves critical military, power and transportation infrastructure across the country has been hit with a ransomware attack. Details about the ransomware attack are scarce, with Black & McDonald refusing even to confirm it happened.

Canada’s defense department confirmed Thursday that its systems were not affected by a ransomware attack on engineering giant Black & McDonald. "Once DCC was informed of the incident, it blocked all incoming emails from Black & McDonald out of an abundance of caution and conducted business by phone or in person," Department of National Defense spokeswoman Jessica Lamirande said in a statement. "Once the contractor restored its email system and informed DCC, email communication resumed."

Black & McDonald also has contracts with the Toronto Transit Commission and Ontario Power Generation — both of which told The Canadian Press they were informed by the company about the ransomware incident.

Victim: Black & McDonald

Black & McDonald is the parent company of Canadian Base Operators, which holds several contracts with the Department of National Defense for facilities management and logistical support services.

Reference: Canadian military: Ransomware attack on contractor didn’t touch defense systems
Reference: Cyber attack hits engineering giant with contracts for military bases, power plants
Malware: CryptoLocker

CryptoLocker is a Trojan horse that infects your computer and then searches for files to encrypt. This includes anything on your hard drives and all connected media — for example, USB memory sticks or any shared network drives. In addition, the malware seeks out files and folders you store in the cloud. Only computers running a version of Windows are susceptible to Cryptolocker; the Trojan does not target Macs.

Incident: Ransomware Attack at Black and White Taxi Service in Australia

A cyber attack on Black and White Cabs has shut down the company's phone and online booking system. Suspicious activity was detected by staff and a "serious threat" to the company was determined in the afternoon. Black and White Cabs has confirmed that a CryptoLocker virus has infiltrated its network security, and it has reported the attack to the Australian Cyber Security Centre. The company was unable to computer dispatch bookings and took all booking portals down in the interest of protecting our passengers, drivers and staff. Drivers were still completing street work (hail & rank) and private bookings.

Reference: Passenger Information
Victim: Black and White Cabs

Black and White Cabs

Reference: Black and White Cabs booking service offline after cyber attack
Incident: Cyberattack Distrupts Costa Rica Transportation Systems

Costa Rica’s Ministry of Public Works and Transport (MOPT) called in Cybersecurity experts from the National Security Directorate and the Ministry of Science, Innovation, Technology and Telecommunications to address the situation that 12 servers were encrypted and all of MOPT’s computer systems were knocked offline. The government did not respond to request for more information but stated that international organizations were brought in for support.

Driving tests are still being conducted in person and while license issuance services were briefly disrupted, they are now being resumed.

Victim: Costa Rica’s Ministry of Public Works and Transport (MOPT)

Costa Rica’s Ministry of Public Works and Transport (MOPT)

Reference: Costa Rica’s Ministry of Public Works and Transport crippled by ransomware attack
Incident: Data Breach at Fresh Del Monte Produce Exposed Employee Data

On May 16, 2023, Fresh Del Monte Produce, Inc. filed a notice of data breach with the Attorney General of Massachusetts after learning that confidential employee information was subject to unauthorized access following a cyberattack. According to the filing, an unauthorized user gained access to the company’s computer network. The breach exposed confidential employee information containing consumer information including names, Social Security numbers, driver’s license numbers, passport numbers, financial account information, and protected health information.

Fresh del Monte believes that no consumer data was leaked as a result of the incident. The company launched an investigation and took its systems offline in an effort to limit further access.

Victim: Fresh Del Monte Produce, Inc.

Fresh Del Monte Produce, Inc. is a global fruit and vegetable company based in Coral Gables, Florida. The company produces, markets and distributes fresh fruits and vegetables, as well as a line of as well as prepared fruit & vegetables, juices, beverages, snacks, and desserts. Fresh Del Monte Produce employs more than 40,000 people and generates approximately $4.4 billion in annual revenue.

Reference: Data breach affected Fresh del Monte’s employees’ information
Reference: Electronic health record giant NextGen dealing with cyberattack
Reference: Fresh Del Monte Produce Notifies Employees of Recent Data Breach
Incident: Japanese Manufacturer Fujikura Global Hacked by Lockbit Gang.

The hacker group LockBit 3.0 has claimed Fujikura Global, the Japanese manufacturer of electrical and electronic products company, as its victim. A company issued press release confirms the attack: "We have confirmed that our group company in the Kingdom of Thailand received unauthorized access to its network by a third party on January 12, 2023."

The threat actor claimed to have breached the corporate headquarters of the Japanese company and infiltrated each of its far-flung outposts around the world. The hacker group claims that the compromised data consists of a staggering 718GB of confidential and critical information pilfered from the company’s digital infrastructure. The purloined data encompasses a vast array of valuable assets, such as financial records, internal reports, certificates, correspondence, extensive internal documentation, tables, employee personal information, and much more.

Victim: Fujikura Global

Fujikura Global is a Japanese manufacturer of electrical and electronic products.

Reference: LockBit Group Lists Japanese Company Fujikura Global as Latest Victim
Reference: Unauthorized Access to our Group Company in the Kingdom of Thailand [machine translated]
Incident: Significant Electrical Malfunctions at Draguignan Prison Center

Since Wednesday January 11, the remand center has been plagued by computer difficulties which have caused significant electrical malfunctions. A computer virus is expected to have sowed discord and caused numerous malfunctions. To monitor the inmates, management called on intervention teams while waiting for the cameras to be put back into operation. [machine translated].

Reference: Draguignan prison victim of a computer virus
Victim: Centre pénitentiaire de Draguignan

Centre pénitentiaire de Draguignan, - prison facility in France

Incident: Czech Railways Website and App Hacked

The website and application of the state railway carrier České dráhy were attacked by hackers. The website and the booking application may therefore be unavailable according to the carrier. Passengers will be checked in without surcharge. The spokeswoman did not want to give details about the beginning of the attack and the type of attack for security reasons. [machine translated].

Victim: České dráhy – Czech Railways

Czech state railway carrier České dráhy

Reference: Czech Railways is facing a hacker attack. The My Train website and app are down
Incident: Crystal Manufacturer Baccarat S.A Experienced Cyberattack on Undisclosed Data

Baccarat S.A., the renowned crystal manufacturer, experienced a cyberattack on an undisclosed date, causing partial operational disruption. While the impact on production remains uncertain, Baccarat reassured clients of no compromised personal data. The company, proactive in communication, urged clients to report suspicious messages.

Victim: Baccarat S.A

Baccarat S.A., the renowned crystal manufacturer in France

Reference: Meurthe-et-Moselle: the Baccarat crystal factory victim of a cyberattack
Reference: GO train, UP Express service resumes with ‘minimal disruptions’ after major outage
Incident: Phishing Incident at Major Mexican Airport

The Querétaro Intercontinental Airport is responding to a cyberattack. The airport is one of the highest-traffic airports in Mexico, situated about three hours from Mexico City. Reports confirm that it had been attacked by hackers. A notice on social media sites states it had called in experts to help address the issue. On Monday, the LockBit ransomware gang took credit for the attack, threatening to leak the data on November 27.

“We reported that we had a cyberattack incident and are working with experts to address this situation. AIQ systems are operating normally. The safety of our passengers and operations remains our top priority,” the airport said, according to a translation of the notice, posted Tuesday.

Officials said the cyberattack was traced back to an employee downloading a file containing malware.

Victim: Querétaro Intercontinental Airport

Querétaro Intercontinental Airport, Mexico. Over the last decade, Querétaro Intercontinental has become one of the busiest airports in Mexico, serving more than 1.1 million passengers in 2022 and becoming a hub for cargo flights within Mexico and to the U.S. and Europe.

Reference: Major Mexican airport confirms experts are working to address cyberattack
Reference: Japan space agency hit with cyberattack, no sensitive info accessed
Incident: Japan’s Space Agency (JAXA) Hit by Cyberattack

Japan's space agency was hit by cyberattacks even as hackers failed to access sensitive information about rockets and satellite operations, a spokesperson revealed Wednesday (Nov 29). “There was a possibility of unauthorized access by exploiting the vulnerability of network equipment,” the spokesperson at Japan Aerospace Exploration Agency (JAXA) was quoted as saying by Reuters. However, the official declined to elaborate on details, such as when did the attack take place.

JAXA got to know about the attack after an external organisation conducted an internal audit, as per the spokesperson.

In August, China-backed hackers were held responsible by Japan for a months-long cyberattack campaign, in which Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was targeted.

A spokesperson for the JAXA said a detailed investigation is going on into the hacking attempt and it was not revealed who could be orchestrating this.

Reference: Japanese space agency JAXA hit by cyberattack amid hacking spree by China
Reference: Japanese space agency JAXA hit with cyberattack
Victim: Japan Aerospace Exploration Agency (JAXA)

Japan Aerospace Exploration Agency (JAXA)

Reference: Cyberattack Hits German Battery Maker Varta, Halts Production
Reference: German battery maker Varta says five plants hit by cyberattack
Reference: “Take any vulnerability very seriously”: Car manufacturers are on the alert after Conti data theft
Incident: Ransomware Attack at Large Indian Paint Manufacturer, Kansai Nerolac.

Kansai Nerolac Ltd., among India's largest paint manufacturing companies, reported a ransomware incident. In a statement to exchanges, Kansai Nerolac informed that a cyberattack occurred on Sunday, wherein the company’s IT infrastructure was targeted by a ransomware attack. “This has affected a few systems. We would like to assure you that the technical team of the company along with a specialised team of cybersecurity experts and the management responded promptly and initiated necessary precautions and protocols to mitigate the impact of this incident,” the statement read.

Victim: Kansai Nerolac Ltd.

Kansai Nerolac Ltd. is among India's largest paint manufacturing companies

Reference: Kansai Nerolac Reports Ransomware Incident on Sunday
Reference: Kansai Nerolac reports ransomware indicent on Sunday, financial impact undisclosed
Reference: ROBOVIC Dataleak
Reference: Ransomware Victim ROBOVIC
Victim: Nobiskrug

Nobiskrug is a shipyard located on the Eider River in Rendsburg, Germany, specialized in building innovative, custom-made luxury superyachts.

Victim: Flensburger Schiffbau-Gesellschaft (FSG)

Flensburger Schiffbau-Gesellschaft is a German shipbuilding company located in Flensburg. The company trades as Flensburger and is commonly abbreviated FSG.

Reference: Cyber ​​attack on the Flensburger Schiffbau-Gesellschaft and Nobiskrug shipyard
Reference: Cyber ​​attack on FSG and Nobiskrug shipyards
Reference: Cyber ​​attack on the Flensburg shipbuilding company
Reference: Claim a Canadian energy company was target of Russian cyberattack highlights our vulnerability, but could just be fake
Reference: Leaked Pentagon Document Claims Russian Hacktivists Breached Canadian Gas Pipeline Company
Incident: Websits of 7 German Airports simultaneously Hit by Cyberattack

The websites of seven airports were hit by a suspected cyberattack. Among the airports affected by a “large-scale DDoS [distributed denial-of-service] attack” on Thursday were Dusseldorf, Nuremberg, Erfurt-Weimar and Dortmund, according to Ralph Beisel, chief executive of the ADV airport association.

A group calling itself “Anonymous Russia” took responsibility for cyberattacks on German airports. “Germany has non-flying weather again,” the hackers said on Telegram alongside a list of their alleged victims.

Reference: Scandinavian Airlines hit by cyberattack, ‘Anonymous Sudan’ claims responsibility
Reference: German airports hit by DDoS attack, ‘Anonymous Russia’ claims responsibility
Incident: Cyberattack at Leading Building Management Co. GEZE Raises Product Integrity Concerns

GEZE, a leading building management company, cyberattack targeted core offerings, including automatic door and window solutions, raising concerns about product integrity and safety features.

The company website statement [sinds removed] stated : "Our systems were exposed to a cyber attack. We have decided to shut down our system landscape preventively and to start a controlled, step-by-step reconstruction. Therefore, we are unfortunately not available at the moment and ask for your understanding. We are making every effort to restore our systems as quickly and securely as possible."

Reference: GEZE IT Security statement []
Victim: GEZE

a leading building management company headquartered in Germany

Reference: 35 years and counting for GEZE [mentions the cyberattack]
Reference: Cyber Incident Victim: Geze (GEZE)
Reference: Colipays: after the cyberattack, reimbursement of injured customers will take longe
Reference: Colipays victim of a cyberattack, customers never received their package
Incident: Sandworm Linked Group Sabotages Major Ukrainian Communications Provider Affecting Millions of Customers

A hacker group calling itself Solntsepek—previously linked to Russia’s notorious Sandworm hackers - is responsible for sabotaging Kyivstar, a major Ukrainian mobile and internet provider, cutting off communications for millions and even temporarily sabotaging the air raid warning system in the capital of Kyiv.

Victim: Kyivstar

Kyivstar, one of Ukraine's largest mobile and internet providers

Reference: Hacker Group Linked to Russian Military Claims Credit for Cyberattack on Ukrainian Telecom
Reference: Staples Confirmes Cybersecurity Risk Disrupting Online Stores
Incident: Cyberattack at Staples Disrupts Internal Operations.

American office supply retailer Staples took some of its systems down to contain impact of a cybersecurity attack and protect customer data. Staples confirmed that it was forced to take protective action to mitigate what it described as a "cybersecurity risk." The response measures disrupted backend processing and product delivery.

In March 2023, Staples-owned distributor Essendant also experienced a multi-day outage that prevented customers and suppliers from placing or fulfilling online orders.

Victim: Staples

American office supply retailer Staples operates 994 stores in the US and Canada, along with 40 fulfillment centers for nationwide product storage and dispatch.

Reference: Staples confirms cyberattack behind service outages, delivery issues
Incident: Japanese Global Lingerie Producer, Wacoal, Hit by Cyberattack

The European arm of the Japanese lingerie business Wacoal had been hit by a cyber attack affecting ordering systems, websites and phone systems.
Its websites being taken offline and indie stockists being unable to place orders.

Reference: Wacoal hit by cyber attack
Victim: Lingerie group Wacoal

Japanese Lingerie group Wacoal (includes brands Fantasie, Freya and Elomi)

Incident: Ransomware Attack at Canadian Weather Network

Ransomware hit the Weather Network’s parent company Pelmorex Corp. taking out many of its website and app services. Many critical functions were impaired or shutdown, impacting English, French and Spanish services in North America. Ransomware was not paid.

Victim: Perlmorex Corp

Perlmorex Corp operates Canada's Alert Ready emergency warning system, the Weather Network app and website, as well as the French-language version Méteomédia

Reference: The Weather Network working on restoring service after cybersecurity incident
Reference: Weather Network says ransomware attack caused website and app outages in September
Incident: DDoS Attack Severely Distrupts Norwegian Data Protection Authority Datatilsynet

In September 2023, Norwegian Data Protection Authority Datatilsynet suffered a severe disruption when their website fell victim to a Distributed Denial of Service (DDoS) attack. Attributed to the Russian group NoName057(16), the incident caused physical damage, stressing hardware to the point of failure, emphasizing an unusual level of attack sophistication.

Victim: Datatilsynet

Norwegian Data Protection Authority Datatilsynet

Reference: Cyber Incident Victim: Datatilsynet
Reference: The Norwegian Data Protection Authority’s website shut down by a Russian hacker attack: Several authorities affected
Incident: Two Major NY Hospitals Struggle to Recover from Lockbit Cyberattack

Two major hospitals serving thousands in upstate New York are struggling to recover from cyberattacks that were announced last week.

The two facilities, Carthage Area Hospital and Claxton-Hepburn Medical Center, serve an area with more than 200,000 people in Jefferson, Lewis and St. Lawrence Counties. For two weeks, the hospitals have been dealing with a cybersecurity incident that forced them to divert ambulances to other local hospitals and reschedule most appointments.

Richard Duvall, chief executive officer of both hospitals, said "no demand for a ransom has been made."

Victim: NY’s Carthage Area Hospital & Claxton-Hepburn Medical Center

Carthage Area Hospital and Claxton-Hepburn Medical Center, serve an area with more than 200,000 people in Jefferson, Lewis and St. Lawrence Counties.

Reference: Carthage, Claxton-Hepburn hospitals target of cyber attack
Reference: Upstate New York nonprofit hospitals still facing issues after LockBit ransomware attack
Incident: Ransomware Attack at Russian Medical Laboratory

Customers of the Russian medical laboratory Helix have been unable to receive their test results for several days due to a “serious” cyberattack that crippled the company's systems over the weekend. According to a statement the lab issued Monday, hackers attempted to infect the company's systems with ransomware.

Victim: Helix, Russian medical laboratory

Russian medical laboratory Helix

Reference: Russian medical lab suspends some services after ransomware attack
Incident: USA’s ASPR issues Alert as Ransomware Gang Attacks Cancer Centers.

An attack against a US cancer center in June 2023 rendered digital services unavailable, limiting the center’s patient care capabilities.The group calling itself TimisoaraHackerTeam (THT), is not widely known but it has a history of attacking medical facilities by exploiting known vulnerabilities and using a living-off-the-land approach to minimize detection.

ASPR Healthcare and Public Health Sector issued a Cybersecurity Notification and warning on June 16, 2023: “Even among hackers, there is often a code of conduct not to attack hospitals or other HPH organizations that could cause physical harm,” HHS stated. “However, in their purposeful targeting of the healthcare sector, groups like THT abstain from that moral code.”

Threat Actor: TimisoaraHackerTeam (THT)

THT is named after a Romanian town, and its source code also appears to have been produced by Romanian speakers. Researchers have not yet determined which overarching family the THT ransomware group belongs to.

Researchers discovered the group in July 2018, when it surfaced with its characteristic tactic of abusing legitimate tools such as Microsoft Bitlocker, rather than developing its own tools to encrypt victim files. What is known, however, is that the group is not against targeting hospitals.

Reference: ASPR Healthcare and Public Health Sector Cybersecurity Notification June 16, 2023
Reference: Ransomware gang preys on cancer centers, triggers alert
Reference: TimisoaraHackerTeam Ransomware Attacks US Cancer Center
Incident: Cyberattack Takes German University IT Systems Offline

The Kaiserslautern University of Applied Sciences (HS Kaiserslautern) was hit by a ransomware attack, following incidents affecting at least half a dozen similar institutions in recent months. The incident was confirmed on Friday, with the university using an emergency website to announce its “entire IT infrastructure” had been taken offline, including university email accounts and the telephone system.

Almost every facility and service available to the institution’s more than 6,200 students has been affected. Computer pools and even the library will “remain closed until further notice,” the university stated.

Victim: Kaiserslautern University of Applied Sciences

Kaiserslautern University of Applied Sciences (HS Kaiserslautern), Germany

Reference: Cyberattack on German university takes ‘entire IT infrastructure’ offline
Incident: Ransomware Attack Shuts Down 14 Canadian Gateway Casinos for Two Weeks

Canada’s Gateway Casinos & Entertainment Ltd. has officially confirmed that the company has been the subject of a cyberattack. All 14 of the company’s casinos in the province of Ontario were shut down. The casinos were hit with a ransomware attack that reportedly created an IT outage. Gateway Casinos started reopening on April 29.

Reference: Cyberattack – 14 Canadian Casinos Shut Down Since April 16
Reference: Gateway Casinos ransomware attack highlights need for better cybersecurity, says analyst
Incident: Server Outage at Telecom DOCOMO Pacific

The largest provider of mobile, television, internet and telephone services to the U.S. territories of Guam and the Northern Mariana Islands is slowly recovering from a cyberattack that brought down many of its services. The outages started on Thursday evening, and by Friday Docomo Pacific CEO Roderick Boss confirmed that the company’s servers were attacked “Early this morning, a cyber security incident occurred and some of our servers were attacked ... affected servers shut down to isolate the intrusion,” Boss explained in a statement.

“DOCOMO PACIFIC's customer data, mobile network services, and fiber services remain unaffected, protected, and secure at this time. We are working to restore service as soon as possible.

Reference: DOCOMO PACIFIC responds to multiple service outage
Reference: Largest telecom in Guam starts restoring services after cyberattack

DOCOMO PACIFIC, Guam based regional leader in innovation, telecommunications, & entertainment.

Incident: Ransomhouse Extortion Group Paralyzes Barcelona Hospital Operations.

A cyberattack has targeted one of Barcelona’s leading hospitals, shutting down its computer system and forcing the cancellation of 150 non-urgent operations and up to 3000 patient checkups. The hospital's SAP system wasn't impacted, but all applications and communications remain broken as work to restore critical systems continues. This means that patient information for physicians is out of reach, and the situation impacts care services.

In addition to the cancellations mentioned above, the hospital delayed 800 urgent cases and diverted patients to other hospitals.

Victim: Hospital Clínic de Barcelona

Hospital Clínic de Barcelona is a 819-bed hospital is based in Barcelona, Spain, and serves over half a million people seeking medical attention and healthcare services.

Reference: Ransomware Attack Against Barcelona Hospital Disrupts Operations
Reference: Hospital Clínic de Barcelona severely impacted by ransomware attack
Incident: Lockbit Ransomware Attack at Office Supply Distributor Essendant

A systems outage at Essendant is preventing the placement or fulfillment of online orders, thereby impacting both the company's customers and suppliers. Freight carriers have also been told to hold off on any pick-ups until further notice. Essendant continues to make its recovery efforts. During this time, customers will not be able to place orders or contact Essendant's customer care. The company’s statement acknowledges a threat actor publicly claimed responsibility for the cyberattack, but the validity of these claims has not been officially confirmed yet.

Essendant stocks over 160,000 types BleepingComputer reached out to Staples and Essendant with questions but we were not provided with any additional information of items serving approximately 30,000 reseller customers. The systems outage is therefore likely to have a widespread impact on the supply chain.

Victim: Essendant

Essendant, a wholesale distributor of stationery and office supplies is a Staples-owned company, formerly known as United Stationers.

Essendant generates over $5.4 billion in annual revenue and employs more than 6,400 people. Headquartered in Deerfield, Illinois, Essendant also operates in Dubai, UAE.

Reference: Office Supplies Giant Essendant Was Hit by Ransomware
Reference: LockBit ransomware attacks Essendant
Reference: Staples-owned Essendant facing multi-day “outage,” orders frozen
Incident: Ransomware Attack on Thousands of VMware ESXi Servers

A vast ransomware infection campaign hits VMware ESXi servers around the world on February 3. The scale suggests an automated operation.

Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy a new ESXiArgs ransomware. Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks.

While the threat actors behind this attack claim to have stolen data, one victim reported in the BleepingComputer forums that it was not the case in their incident. Victims have also found ransom notes named "ransom.html" and "How to Restore Your Files.html" on locked systems. Others said that their notes are plaintext files.

Threat Actor: Nevada Ransomware Operation

(Feb'23): A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems.

Nevada ransomware started to be promoted on the RAMP darknet forums on December 10, 2022, inviting Russian and Chinese-speaking cybercriminals to join it for an 85% cut from paid ransoms. For those affiliates who bring in a lot of victims, Nevada say they will increase their revenue share to 90%.

RAMP has been previously reported as a space where Russian and Chinese hackers promote their cybercrime operations or to communicate with peers.

Reference: Ransomware: thousands of VMware ESXi servers caught in vast campaign
Reference: Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide
Reference: Caribbean island of Martinique dealing with cyberattack that disrupted government services
Incident: Cyberattack Upended New Flag Voting Process in Martinique

A quest to select the first official flag and hymn for the French Caribbean island of Martinique was interrupted Wednesday by a cyberattack. The attack on government servers upended a nearly two-week online voting window that began on Jan. 2. Officials said the attack was not successful but forced them to temporarily shut down the system. They did not say when voting would resume.

Reference: Flag and anthem: the CTM suspended votes due to a security breach
Reference: Cyberattack halts Martinique’s search for new flag, hymn
Incident: Ransomware Attack at Slovenian Power Company HSE

Slovenian power company Holding Slovenske Elektrarne (HSE) has suffered a ransomware attack that compromised its systems and encrypted files, yet the company says the incident did not disrupt electric power production. HSE is Slovenia's largest power generation company, accounting for roughly 60% of domestic production, and it is considered critical infrastructure in the country. No ransom demand has been received.

The attack did affect the company’s communication and information infrastructure and, according to Slovenian news outlet 24ur, the websites of some of the power plants were temporarily inaccessible. Unofficial information shared with local media attributes the attack to the Rhysida ransomware gang. If Rhysida is behind the attack, it would also explain why HSE is stating they did not receive a ransom demand, as Rhysida ransom notes only contain an email address to contact the threat actors without specifying any monetary demands.

Reference: Slovenian power company hit by ransomware
Victim: Holding Slovenske Elektrarne (HSE)

Slovenian power generation company Holding Slovenske Elektrarne (HSE)

Reference: Slovenia’s largest power provider HSE hit by ransomware attack
Incident: Targeted Cyberattack on Ukranian Critical Energy Infrastructure Facility

The Computer Emergency Response Team of Ukraine (CERT-UA) recorded on Tuesday a targeted cyber attack against a critical energy infrastructure facility in the country. The advisory added that the described activity is carried out by the Russian state-sponsored APT28 hacker group. The agency confirmed that they were able to prevent any intrusion.

Threat Actor: APT28

APT28 does not appear to conduct widespread intellectual property theft for economic gain. Instead, APT28 focuses on collecting intelligence that would be most useful to a government. Specifically, FireEye found that since at least 2007, APT28 has been targeting privileged information related to governments, militaries, and security organizations that would likely benefit the Russian government.

Reference: APT28 cyberattack: msedge as a bootloader, TOR and services as a control center (CERT-UA#7469)
Reference: Ukraine’s CERT discloses cyberattack on critical energy infrastructure by APT28 hacker group
Incident: Russian Cyberattack Targets Water and Gas Utility Meter Manufacturer in Ukraine

Illia Vitiuk, head of the cyber department at the Security Service of Ukraine (SBU), when asked in an interview for a recent example of attacks Russia has carried out during the war, gave a previously undisclosed real-world example. He said Russia targeted a water and gas utility meter manufacturer in a supply chain attack. The Security Service of Ukraine (SBU) was able to stop the supply chain attack from real-world consequences.

SBU went on to explain this was targeted at telemetry equipment that could see and measure the consumption of water or gas. They penetrated the company as a new update was about to come out. With this update, they wanted to penetrate these systems [a kind of supply chain hack similar to the SolarWinds hack in 2019].

Reference: Exclusive: How a defend-forward operation gave Ukraine’s SBU an edge over Russia
Incident: Ukrainian Online Surveillance Cameras Allegedly Hacked by Russia to Carry Out Deadly Drone Attacks

Ukraine’s security officers said they took down two online surveillance cameras that were allegedly hacked by Russia to spy on air defense forces and critical infrastructure in Ukraine’s capital, Kyiv.

The cameras were installed on residential buildings in Kyiv and were initially used by residents to monitor the surrounding area and parking lot. After hacking them, the Russian intelligence services supposedly gained remote access to the cameras, changed their viewing angles, and connected them to YouTube to stream sensitive footage.

According to Ukraine’s security service, SBU, this footage likely helped Russians direct drones and missiles toward Kyiv during a large-scale missile strike against Ukraine on Tuesday. During the attack, Russia fired almost 100 drones and missiles, primarily targeting Kyiv and Kharkiv, Ukraine’s second-largest city. At least 5 people were killed, and 129 were injured.

Since Russia invaded Ukraine in February 2022, the SBU said it has blocked about 10,000 digital security cameras that Moscow might have used to prepare for missile strikes on Ukraine.

Victim: Ukraine’s security service, SBU

Ukraine’s security service, SBU

Reference: Ukraine says Russia hacked web cameras to spy on targets in Kyiv
Incident: Cyberattack at Yusen Logistics, partner of Big Kitchen Manufacturers, Spells Delays for Applicance Retailers

BlackCat/ALPHV posted Yusen Logistics to its data leak site on September 25th, claiming to have stolen 90GB of company information. Yusen has confirmed that on Sunday, September 17 it was the victim of a malicious attack and is working all relevant stakeholder to keep them informed. Home appliance retailer BSH, a Yusen partner in the UK, also confirmed they were impacted.

BlackCat made no mention of leaking the data, suggesting a ransom could have been paid.

Reference: Appliance supplier confirms delays due to cyber-attack
Reference: Appliance delivery woes return for big brands as tech glitch hits logistics partner
Victim: Yusen Logistics

Founded in 1955, Yusen Logistics is a global supply chain logistics company that provides ocean and air freight forwarding, warehousing, distribution services, and supply chain management – a seamlessly connected suite of supply chain solutions that delivers superior value, reliability, and expertise.

Incident: Iranian Petrol Stations Hit by Cyberattack

Iran has accused a hacking group with alleged ties to Israel of carrying out a cyber attack that resulted in service disruptions at petrol stations throughout the country on Monday. The Israeli hacker group Gonjeshke Darande or Predatory Sparrow also claimed responsibility for hacking Iran’s gas stations. Iran’s oil minister, Javad Owji, confirmed that a cyberattack was responsible for the widespread disruption of petrol stations nationwide, and that services had been disrupted at about 70% of Iran’s petrol stations.

Incident: Snatch Claims it Breached Hemeria Group, partner of the French Space Agency CNES

The Snatch ransomware group has claimed in a post on February 17, 2023, that it has breached the systems of Hemeria Group, a partner of defense and space systems maker of the French Space Agency CNES in 2022. According to the leak site post, the operators of Snatch state they initiated talks with the Palace of Versailles to maintain caution because the company data is considered a state secret.

Cybersecurity researchers have posted about the Hemeria Group data breach with screenshots from the ransomware group’s post.
Hemeria management replied by denying having anything to do with the data that Snatch had. The firm also did not seem to be affected by the data breach news.

Reference: Reactions to cyberattack on Iran’s fuel system
Reference: Iranian petrol stations hit by cyber attack allegedly linked to Israeli hacker group
Reference: Iran petrol stations hit by cyberattack, oil minister says
Reference: Israel-linked group claims cyberattack that shut down 70% of Iran’s gas stations
Incident: Large Canadian Book Distributor Suspends Operations after Cyberattack

Socadis, one of the largest book distributors in Quebec, was forced to suspend “all of its activities” due to a cybersecurity problem that occurred last Sunday.

The problem affects all of its communication systems, rendered “inaccessible”. “We cannot take any orders,” the company said. “The business is temporarily closed,” she posted on her Facebook page on Tuesday. In an update Wednesday, it said its "operations are still at a standstill" and that the business would remain closed "until further notice."

Victim: Socadis

Socadis, one of the largest book distributors in Quebec distributes in particular the works of the publishing houses Flammarion, Fides and La Pastèque.

Reference: A cyberattack would paralyze an important link in Quebec books
Reference: The activities of the book distributor Socadis on pause
Incident: Polish Train Builder Denies Sabotaging PLC Code to Lock In Repair Services, Claims Being Hacked.

After a rail maintenance service provider won a contract to maintain rolling stock manufactured by Newag, they soon discovered that the rolling stock would stop operating for no apparent reason. After hiring a third party consulting group, they discovered deliberate code in the firmware designed to "brick" or disable rolling stock if it had been maintained in certain locations or conditions not under the supervision of the original manufacturer.

Dieselgate? Newag denied this, suggesting they were the victim of a cyber attack. However, there is no evidence to back up that claim, and instead all evidence points to the vendor deliberately sabotaging their own firmware code in manufactured products to enforce vendor maintenance and repair lock-in and unfairly disadvantage their competition.

"We found that the PLC [programmable logic controller] code actually contained logic that would lock up the train with bogus error codes after some date, or if the train wasn't running for a given time," Bazański wrote. "One version of the controller actually contained GPS coordinates to contain the behavior to third-party workshops."

Reference: Dieselgate, but for trains – some heavyweight hardware hacking
Reference: Polish train maker denies claims its software bricked rolling stock maintained by competitor
Incident: Pro-Iran Hackers Cut Water Supply for 2 Days in Remote Irish Town

Cyberattack on Irish water utility, Erris, leaves 180 homeowners without water for 2 days after the extraordinary incident impacted the Eurotronics Israeli-made water pumping system. The hackers stated the equipment was targeted due to the fact it originated in Israel.

Erris Water stated they did not have the budget for firewalls and were unable to recover operations, struggling to bypass the pump to run manually, leading to the two day outage.

Victim: Private Water Services serving Erris, Ireland

Private Water Services serving Erris, Ireland

Reference: Two-day water outage in remote Irish region caused by pro-Iran hackers
Reference: Cyberattack on Irish Utility Cuts Off Water Supply for Two Days
Reference: Hackers hit Erris water in stance over Israel
Incident: Wide concern over GPS spoofing incidents, previously thought to be impossible, in Middle East,

OPSGroup reports: since first discovered, additional distinct spoofing scenarios have been reported by flight crews:

= A Gulfstream G650 experienced full nav failure on departure from LLBG/Tel Aviv (25 Oct). The crew reports, “ATC advised we were off course and provided vectors. Within a few minutes our EPU was 99.0, FMS, IRS, and GPS position were unreliable. The navigation system thought it was 225nm south of our present position.”
=A Bombardier Global Express was spoofed on departure from LLBG/Tel Aviv (16 Oct). A false GPS position showed position as overhead OLBA/Beirut. Crew advises “The controller warned us that we are flying towards a forbidden area”.
=A Boeing 777 experienced a 30 miute GPS spoofing encounter in the Cairo FIR (16 Oct). A false GPS position showed the aircraft as stationary overhead LLBG for 30 minutes.
=A Bombardier Global 7500 was spoofed 3 separate times in the Cairo FIR (16 Oct 2023). Crew advises: “The first took out one GPS, the second took out a GPS and all 3 IRS’s, and the third time took both GPS’s and all 3 IRS’s.” The distance from LLBG was roughly 220-250 miles, and the spoofing stopped once we were approx 250nm west of LLBG.
= An Embraer Legacy 650 enroute from Europe to Dubai. They tell us, “In Baghdad airspace, we lost both GPS in the aircraft and on both iPads. Further, the IRS didn’t work anymore. We only realized there was an issue because the autopilot started turning to the left and right, so it it was obvious that something was wrong. After couple of minutes we got error messages on our FMS regarding GPS, etc. So we had to request radar vectors. We were showing about 80 nm off track. During the event, we nearly entered Iran airspace (OIIX/Tehran FIR) with no clearance.
= A Bombardier Challenger 604 experienced spoofing in the Baghdad FIR and required vectors all the way to Doha. “Nearing north of Baghdad something happened where we must have been spoofed. We lost anything related to Nav and the IRS suggested we had drifted by 70-90 miles. We had a ground speed of zero and the aircraft calculated 250kts of wind. The FMS’s reverted to DR (Dead Reckoning) and had no idea where they were. We initially took vectors to get around the corner at SISIN. Nav capability was never restored, so we required vectors all the way from Iraq to Doha for an ILS. We never got our GPS sensors back until we fired up the plane and went back to home base two days later.

Reference: GPS Spoofing Update: Map, Scenarios And Guidance
Victim: Aircraft in route crossing Middle East airspace

Aircraft in route crossing Middle East airspace

Reference: Flights Misled Over Position, Navigation Failure Follows
Incident: Fake GPS Signals in Middle East lead Multiple Aircrafts Astray

GPS spoofing from an unknown source in the Iraq-Iran area is causing complete aircraft navigational system failures in some overflying airliners and business jets. GPS spoofing is “the surreptitious replacement of a true satellite signal that can cause a GPS receiver to output an erroneous position and time”

This novel type of GPS and IRS signal spoofing attack caused over 20 aircraft to suffer complete loss navigation capability over restricted airspace, and caused unintended divergences in flight paths, in the corridor between Iran and the UM686 airway in NW Iraq. As a result, one bizjet almost strayed into Iranian airspace without clearance. This jeopardized the safety of hundreds of lives. GNSS comms are unencrypted and were never expected or designed to cope with this threat.

Reference: Someone In the Middle East is Leading Aircraft Astray by Spoofing GPS Signals
Reference: DGCA cautions airlines against fake navigational signals
Incident: Operational Slowdown after Hack at French BBQ Manufacturer

French BBQ manufacturer Somagic was infected over the weekend by MedusaLocker ransomware, halting production. Employees were surprised when they showed up at work on Monday morning only to discover all their IT systems were rendered unusable as all files were encrypted and left with a ".medusa" file extension.

Reference: The Bressan company Somagic victim of a large-scale cyber attack
Victim: Somagic

French BBQ manufacturer Somagic

Incident: Data Breach at French Trèves Group Claimed by Lockbit Ransomware Gang

LockBit #ransomware group added Trèves Group, a supplier of acoustic and thermal solutions based in #France, to their victim list. They claim to have access to 250 GB of company data.

Victim: Trèves Group

Trèves Group is a global, family-owned automotive supplier, designer and manufacturer of acoustic and thermal insulation solutions for the automotive industry,

Reference: Logistics, a sector of choice for cyberattacks?
Reference: FalconFeed on X: Treves Group Data Breach
Incident: Complicated Situation for Management at French Prison as CyberAttack cuts Power

Since Wednesday January 11, the remand center has been plagued by computer difficulties which have caused significant electrical malfunctions. "A virus was installed in the system via a USB key used by a teacher who was giving a lesson to inmates that day,” confirms Julien André, CGT staff representative within the establishment. prison. The computer system was shut down.

The prison was without power last weekend. “Friday evening, the pellets blew, cutting off all the electricity supply to the jail (sic), says Julien André, on duty that day. No more light, no more surveillance cameras.” A complicated situation for the management of the establishment, which had to call in numerous reinforcements.

Victim: Draguignan prison (Maison d’arrêt de Draguignan)

The new Draguignan prison (Maison d'arrêt de Draguignan)

Reference: Draguignan prison victim of a computer virus
Incident: Bay & Bay Transport, MN Hit by Ransomware Attack a 2nd Time

Bay & Bay Transport was targeted by a ransomware gang called Conti. Wade Anderson, Bay & Bay’s chief information officer, chief technology officer and head of marketing said that ransomware only impacted some of its systems and “a small minority” of desktop computers, but that everything was shut down as a precaution. The company, he said, had measures in place to minimize the impacts and was able to return to “90% functionality” within about a day in a half, he said.

In contrast to its response to the attack in 2018, Bay & Bay refused to pay. Anderson said the company was in a better position to recover on its own instead of paying the criminals for the key to decrypt its data

Threat Actor: Conti group

Conti group — a so-called ransomware as a service provider — provides malware, an extortion platform and support to affiliates, who get a percentage of the payments made by victims. Conti has been linked to hundreds of attacks, including multiple U.S. transportation and logistics companies.

Reference: Minnesota trucking company hit in 2nd ransomware attack
Reference: Black Basta Ransomware Victim Gates Corporation
Reference: Ransomware gang Lockbit attacks Zalando’s logistics service provider
Reference: Staff at security firm G4S on alert after tax numbers and bank details posted online following hack

Incident: Operational Impact at Electronics Company Alps Alpine Group

ALPS' North American production operations and delivery was impacted by a ransomware incident on their systems. ALP promptly shut off the network connection of servers and other devices infected and reported they "are still working to restore equipment and production functions. At present, with the exception of our production bases in Mexico, we have resumed production and delivery with alternative methods for system failures."

North American employee data was reportedly leaked.

This follows on the heels of a separate attack on July 6, 2023, where an attack exfiltrated data on 16,000 employees.

Reference: Cyber Incident Victim: Alps Alpine Group
Victim: Alps Alpine Group

Alps Alpine Group (Alpine Electronics, Inc., Alps Electric Co., Ltd.) is a Japanese multinational corporation, headquartered in Tokyo, a leading manufacturer of electronic components and automotive infotainment systems.

Reference: Cyber attack on our group companies
Reference: Press Release 2nd Update: Cyber attack on our group companies
Reference: PRESS RELEASE: Cyberattacks on Our Group Companies
Incident: Operations Disrupted at Montpellier Airport after Weekend Cyberattack

Montpellier airport suffered a major cyberattack during the night from Saturday to Sunday, which disrupted its activities. All flights on Sunday were operated, even if they experienced delays. Expectation was for all flight to be "back to normal between this Sunday evening and tomorrow Monday.” With internal operating systems of the various services to return to their usual functioning “during the week”.

Victim: Montpellier Airport

Montpellier Airport

Reference: “Our systems were out of order for several hours”: a “very violent” cyberattack against Montpellier airport
Incident: Giant North American Freight Forwarder Livingstone hit by Ransomware Attack

Giant North American freight forwarder and customs broker Livingston, stopped operating at the US-CAN border for 2 business days after being breached by Royal ransomware. Operations resumed operations after 2 days, but the Royal gang was able to exfiltrate both customer and employee data. A post from Royal on social media claimed to have information of 3,200 employees, 30,000 customers, and 125 key border entry points.

Victim: Livingston International

Livingston International provides customs brokerage, trade consulting and international freight forwarding services to importers and exporters

Reference: Royal Ransomware Group Adds Livingston International to Leak Site
Incident: French Cosmetics Factory at Standstill after Cyberattack

A premiere European maker of cosmetic aerosols reported that Russian cybercriminals attacked their centralized servers in Germany, According to the company's general manager Ramdane Mansoura, production was shutdown for at least 13 days and 300 employees have been temporarily laid off. Costs are €250K per day of lost production.

Victim: Elysée Cosmétiques

leading European cosmetics manufacturing company in France

Reference: Hacked servers: the Élysée Cosmétiques factory shut down
Incident: Cyberattack at Drug Distributor Alliance Healthcare Impacts Pharmacies in Spain.

A cyberattack on one of the main distributors of Catalan pharmacies, Alliance Healthcare, is disrupting medicines supplies, according to the Spanish daily 'El País.' A week later, the company’s website is still completely inaccessible. Alliance Healthcare’s billing systems and ordering processes are also in utter chaos, El País’ sources said. Outages led to supply delays, with pharmacies across the northeastern Catalonia region seeing the biggest impact.

While the affected company is one of the leading distributors to Catalan pharmacies, the industry has been able to cope with medicines supplies as they work with different distribution companies.

Victim: Alliance Healthcare

Alliance Healthcare is the fourth largest pharmaceutical distributor in Spain, with a market share of more than 10%.

Reference: Cyberattack on main distributor of pharmacies disrupts medicines supplies
Reference: Cyberattack hits Spanish pharmaceutical company Alliance Healthcare
Reference: Cyberattack cripples Spanish drug giant Alliance Healthcare
Incident: Weekend DDoS Attack on 400 Nepal Government Sites, Airport Most Affected

More than 400 Nepal government websites went down for hours on Saturday, disrupting services and inconveniencing thousands of passengers at Kathmandu airport, exposing the vulnerability to hacking of the domain.

Hackers appear to have targeted the government’s only central data bank at the Government Integrated Data Centre (GIDC) with a ‘Distributed-Denial of Service’ attack, possibly from abroad, and knocked out most government ministry websites, including the database of the Department of Immigration as well as Passports.

The greatest disruption was at the airport where chaotic queues began forming at the immigration desks both at the arrival and departure areas.

Many international flights, including those to Delhi, Mumbai, Bangalore, Kuala Lumpur and Doha were delayed by up to three hours. There were serpentine queues at the arrival concourse as the visa machines and consoles at the immigration desk went out of action.

Victim: Nepal Government Sites

Nepal Government Sites

Reference: Open season on hacking into
Incident: Operations Disrupted at Italian Clothing Giant Benetton

Renowned Italian clothing company the Benetton Group reportedly faced a cyberattack from an unknown threat group. The hackers behind the operation attacked Benetton’s online sale platform as well as the automated system of the newly opened Castrette di Villorba warehouse.
Workers were sent home and logistical operations impaired.

Victim: United Colors of Benetton’

Italian clothing manufacturer - globally distrituted

Reference: United Colors of Benetton’s Italy Nerve Centre Suffers Cyber Attack
Reference: United Colors of Benetton’s Italy Nerve Centre Suffers Cyber Attack
Incident: Iranian Oil Terminals Offline after Malware Attack

Iran has been forced to disconnect key oil facilities after suffering a malware attack on Sunday, say reports.

The computer virus is believed to have hit the internal computer systems at Iran's oil ministry and its national oil company. Equipment on the Kharg island and at other Iranian oil plants has been disconnected from the net as a precaution. Oil production had not been affected by the attack, said the Mehr news agency. However, the attack is believed to have been responsible for knocking offline the websites of the Iranian oil ministry and national oil company.

Victim: Kharg Island, Iranian Oil Terminal

Kharg Island, Iranian Oil Terminal

Malware: Flame

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

Reference: Attacks on Iranian oil industry led to Flame malware find
Reference: Iranian oil terminal ‘offline’ after ‘malware attack’
Incident: MGM Shuts Down Operations for 10 Days Across Las Vegas Properties

A major cyberattack disrupted operations of MGM Resort in Las Vegas. The cyberattack forced MGM to shut down significant portions of its internal networks, affecting various aspects of its services. Guests at MGM’s hotels and casinos, including renowned establishments like the Bellagio, Aria, and Cosmopolitan, have reported widespread disruptions.

The hackers spear phished an MGM employee through social media. MGM did not pay the ransom.

Victim: MGM Hotels and Casinos

Casino resort of Metro-Goldwyn-Mayer Studios, Inc., an American media company specializing in film and television production and distribution.

Threat Actor: Scattered Spider

Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs

Reference: MGM Resorts breached by ‘Scattered Spider’ hackers
Reference: Hackers Behind MGM Cyberattack Thrash The Casino Incident Response
Incident: Contractor inserts Cyber “Time Bomb Attack” in Firmware of Orqa Drone Goggle

A contractor named Swarg maliciously planted a time-bomb in the firmware of Orqa's FPV.One V1 first person view (FPV) drone goggles, causing product failures. The malicious code was designed to brick devices after a timestamp is reached. Later, Swarg posted a paid and unauthorized binary firmware fix online as a "license extension and renewal" that would unbrick devices. Orqa's stated this is effectively a case of a ransomware attack by a malcious insider deploying a wiper payload. Analysis shows that both Orqa and Swarg have done business together and operate from the same location, suggesting they share offices.

Victim: Orqa

Drone manufacturer

Reference: Drone goggles maker claims firmware sabotaged to ‘brick’ devices
Reference: Drone Goggles Maker Orqa Hit with ‘Time-bomb’ Ransomware Attack
Incident: Disruption at Israel Postal Company after Cyberattack Last for 6+ Days

The Israel Postal Company detected several services including the sending of international mail and courier services were interrupted and proactively shut down part of its computer systems. The attack and shutdown did not affect Israel Post's banking services. Attack was part of the #OPIsrael hacktivist campaign.

Reference: Cyberattacks strike Israel Post, irrigation systems
Reference: Cyber attack shutters Galilee farm water controllers
Victim: Israel Postal Company

Israel Postal Company

Incident: Vice Society Disrupts Operations at CommScope and Publishes Employee PII

CommScope suffered a ransomware incident that resulted in "several days of widespread disruption, including plant production," according to employees. Employee PII data was breached on the dark web by the ransomware gang Vice Society.

Reference: Network infrastructure provider CommScope investigating data leak following ransomware attack
Reference: Hackers publish sensitive employee data stolen during CommScope ransomware attack
Reference: CommScope employees left in the dark after ransomware attack
Victim: CommScope

CommScope Holding Company, Inc. designs and manufactures network infrastructure products. Based in Hickory, North Carolina. CommScope employs over 30,000 employees.

CommScope has four business segments: home networks, broadband networks, venue and campus Networks, and outdoor wireless networks.

Reference: RansomEXX claims ransomware attack on Sea-Doo, Ski-Doo maker
Incident: Ricardo Defense Suffers Cyberattack

Multi-industry technology provider, Troy, Michigan-based Ricardo Defense Inc., suffered a cyberattack this past October where personally identified information ended up stolen.
“On October 23, 2023, Ricardo discovered suspicious activity on its network,” the company said in a notice. “Ricardo immediately took steps to secure its systems and initiated an investigation into the nature and scope of the event with the assistance of third-party forensic specialists.
“The investigation determined that Ricardo’s network was subject to unauthorized access between October 16, 2023 and October 23, 2023, and that certain files were acquired by an unknown actor while on the network,” the statement said.

Reference: Cyberattack Strikes Technology Provider
Victim: Ricardo Defense

Ricardo works across eight market sectors: Aerospace & defense; automotive; energy utilities and waste; financial services; government and public sector; industrial and manufacturing; maritime; rail and mass transit. The company provides technological solutions that ensure access to clean air and water; cross-sector engineering solutions to accelerate decarbonized transportation; support for global net zero and industry agendas; and comprehensive expertise in safety, assurance and certification.

Incident: Clothing Provider, V.F. Corp., Hack Hits 35.5M Customers

After suffering a cyberattack December 13, V.F. Corporation, the global apparel and footwear company founded in 1899, released further details on the assault that led to shutting down some systems and losing personal information of 35.5 million customers.
On December 13, V.F. detected unauthorized occurrences on a portion of its information technology (IT) systems, according to an 8-K document filed with the Securities and Exchange Commission (SEC).
Upon detecting the unauthorized occurrences, V.F., which brought in $11.6 billion in revenue, immediately began taking steps to contain, assess and remediate the cyber incident, including beginning an investigation with leading external cybersecurity experts, activating its incident response plan, and shutting down some systems.
As a result of these and other measures, and while V.F.’s investigation and remediation efforts remain ongoing, the Denver, Colorado-based company believes it “ejected” the threat actor was ejected from its IT systems on December 15. V.F. said it notified, is cooperating with, and will continue to cooperate with and notify, federal law enforcement and the relevant regulatory authorities as required under applicable law.

Reference: Clothing Brand, V.F. Corp., Hack Hits 35.5M Customers
Victim: V.F. Corporation

V.F. operated retail stores, brand e-commerce sites and distribution centers are operating with minimal issues. The company’s brands include: Vans, North Face, Timberland, Dickies, Jansport, and Kipling to name a few.

Incident: Framework Laptop Maker Suffers Cyberattack

San Francisco, California-based Framework, the repairable laptop maker, said hackers phished a worker Tuesday at its accounting service provider and were able to purloin customer data.
Framework sent an email to affected customers explaining what happened during the incident at San Mateo, California-based Keating Consulting, its primary external accounting partner. In the attack, an accountant fell victim to a social engineering attack that resulted in thieves stealing customers’ personal information related to outstanding balances.
The letter from Framework to its customers said:
“Keating Consulting, Framework’s primary external accounting partner, brought to our attention at 8:13am PST on January 11th, 2024, that one of their accountants fell victim to a phishing email that utilized social engineering tactics to obtain customer PII (Personal Identifiable Information) associated with outstanding balances for Framework purchases."

Reference: Laptop Maker Framework Says Customer Data Stolen in Third-Party Breach
Reference: Laptop Maker Hit In Attack
Victim: Framework

Framework is a San Francisco, California-based repairable laptop maker.

Incident: OR Luxury Recreational Vehicle Maker Hit In Cyberattack

Luxury recreational vehicle maker, Marathon Coach, Inc. suffered a cyberattack affecting personal information of some of its customers.
The incident occurred June 22, but the Coburg, Oregon-based company did not discover it until November 21 and it sent out letter to some of its 704 victims January 3. Marathon Coach, Inc. began operations in September 1983 converting new commercial bus shells into luxury recreational vehicles and corporate coaches.
“On July 7, 2023, Marathon Coach became aware of unusual activity involving certain systems within our network,” the company said in a letter to its victims. “We promptly isolated the systems and commenced a comprehensive investigation into the nature and scope of the activity.
“The investigation determined that an unauthorized actor was able to intermittently access certain systems between June 22 and July 7, 2023. We undertook a review of the files within the systems in order to identify what specific information was present and to whom it related,” the company said.

Reference: Luxury OR RV Maker Hit In Cyberattack
Victim: Marathon Coach, Inc.

Marathon Coach, Inc. began operations in September 1983 converting new commercial bus shells into luxury recreational vehicles and corporate coaches.

Reference: Shipbuilder Hit In Ransomware Attack
Victim: Fincantieri Marine Group (FMG), LLC

FMG is a medium-sized shipbuilder in the United States that works for civil and government clients, such as the U.S. Navy and the U.S. Coast Guard.

Incident: Cyberattack at Missouri Window Maker

Freeburg, Missouri-based Quaker Window Products, Co. suffered a cyberattack where an unauthorized attacker gained access to personal data stored on the network.
Total amount of victims in the November 25 attack amounted to 10,988.
“On November 25, 2023, Quaker experienced a network disruption and immediately initiated an investigation of the matter,” the company said in a notice sent out to customers. “Quaker engaged cybersecurity experts to assist with the process. The investigation revealed that an unauthorized actor had access to certain files from the Quaker network on or about November 25, 2023."

Reference: MO Window Maker Hit In Attack
Victim: Quaker Window Products, Co.

Headquartered in Freeburg, MO, Quaker Windows & Doors is a manufacturer of residential and commercial window and door products in the United States.

Incident: Hackers Accessed Customer Information at Toyota Kreditbank Germany

Toyota Financial Services (TFS) is warning customers it suffered a data breach, stating that sensitive personal and financial data was exposed in the attack. Earlier this month, Toyota Kreditbank GmbH in Germany admitted that hackers gained access to customers' personal data.

German news outlet Heise received a sample of the notices sent by Toyota to German customers, informing that personal information, including leasing and bank account information has been compromised. However, the internal investigation isn't complete yet, and Toyota promises to promptly update affected customers should the internal investigation reveal further data exposure.

Reference: Toyota warns customers of data breach exposing personal, financial info
Victim: Solar Industries Limited India

Explosives manufacturer Solar Group and top private Indian defense contractor

Incident: Hackers Target Indian Defense Explosives Manufacturing Contractor, Solar Industries Limited India.

The parent company of a private defence ministry contractor manufacturing explosives, Solar Industries Limited India, has been the target of a ransomware attack, a government official said, in an incident that experts said could pose a threat to security if documents were leaked. “The government is investigating the extent of the data compromised and the source of the attack.” an official familiar with the matter said, asking not to be named. The official could not confirm if a ransom demand had been made so far, or whether data was stolen by the attackers.

A listing on the dark web by a group that calls itself Black Cat (Alphv) claimed to have stolen two terabytes of data. BlackCat published images of the stolen documents and pictures taken from the company’s security cameras as proof of the hack. The claims, however, could not be independently verified by HT.

Reference: CBI may probe ransomware attack on Nagpur’s ammo maker
Reference: Defence ministry contractor’s parent firm faces ransomware attack
Incident: Haynes International Cyberattack Estimated Cost is $18-$20 Million

On June 10, 2023, the Company began experiencing a network outage indicative of a cybersecurity incident.
Various aspects of the Company’s networks were down.

On June 21, 2023, less than 2 weeks after the incident began, the Company announced that all manufacturing operations were running and that it had substantially restored administrative, sales, financial and customer service functions. Nevertheless, during those 11 days many aspects of the Company’s production were substantially disrupted.

Victim: Haynes International, Inc

Haynes International, Inc. is a leading developer, manufacturer and marketer of technologically advanced, high performance alloys, primarily for use in the aerospace, industrial gas turbine and chemical processing industries.

Reference: Haynes International Provides Cybersecurity Update and Estimated Third Quarter Financial Impact
Incident: Cyberattack hits Multiple Sites of Pharmaceutical Vibrac Group

The Virbac Group was the target of a cyber attack on several of its sites worldwide during the night of June 19-20. "As soon as we became aware of the attack, we immediately took steps to contain it. At the same time, we set up a crisis unit including dedicated cybersecurity experts to assess the impact on our systems and organize remediation operations."

"As a result of this attack, we are currently experiencing a slowdown or temporary interruption of some of our services."

Reference: Cyber attack on several sites
Reference: Virbac : Cyber attack on several sites
Victim: Vibrac

French animal health pharmaceutical company Vibrac

Incident: German Milk Producer Affected by Cyberattack

A statement from SCHWÄLBCHEN MOLKEREI AG says the company is affected by a cyber attack in some areas of the IT infrastructure. Due to the attack, the company's accessibility is currently impaired. Current production and logistics are not affected. Work is underway to fully restore the systems.

It is unclear to what extent company data was obtained by unauthorized third parties.

Reference: Cyber ​​attack on Schwäbchen

German Milk Producer

Reference: Schwälbchen Molkerei Jakob Berz AG: IT security incident
Incident: Cyber Incident at Coca Cola Mexico

In a Statement the Coca Cola FEMSA states the company is working with experts on measures to prevent an adverse impact on its information technology applications. While such measures are being implemented, the Company expects to continue its operations through back-up procedures and will prioritize the protection of the integrity, confidentiality and availability of its information.

A forensic assessment is currently underway to determine the scope of the cyber incident.

Reference: Coca Cola Cybersecurity incident
Incident: Cyberattack at Super Bock Brewery Affects Operations

The Super Bock Group has been the target of a cyber-attack that is causing disruption to its IT services, with constraints on regular operations, particularly service levels.

The situation is causing major restrictions in its operation to supply the market with some of its products, in the different sales channels.

The company immediately activated the necessary security protocols and informed the competent authorities, and also put in place a contingency plan to restore normal market supply conditions.

The Super Bock Group regrets the possible inconvenience caused to all its customers and suppliers, and thanks its partners for their expressions of solidarity and support on this date.

Reference: Super Bock Group targeted by cyber attack
Victim: Super Bock Group

Super Bock Group, a brewery based in Portugal

Incident: Lockbit Group Demands Ransom of Colombian Grupo Nutresa

Through a press release, Grupo Nutresa informed that this Thursday a possible ransomware or cyber attack event was identified, which so far has not compromised the integrity of the organization's data, nor the information of its customers, suppliers, consumers and other related groups.

Victim: Grupo Nutresa

Grupo Nutresa, formerly Grupo Nacional de Chocolates S.A. is a food-processing conglomerate headquartered in Medellín, Colombia. The group's principal activities are producing, distributing, and selling cold cuts, biscuits, chocolates, coffee, ice cream and pasta

Reference: LockBit #ransomware group added Nutresa
Reference: Nutresa confirms that it is the victim of a possible cyber attack.
Incident: Royal Vopak’s Malaysian Oil Storage Complex Hit by Ransomware Attack

Vopak has fallen victim to a ransomware attack in Malaysia by what appears to be the ALPHV Blackcat ransomware group. Vopak informed that its business operations in the Netherlands are not in danger.

“We can confirm that an IT incident has occurred at Pengerang Independent Terminals (PTSB) in Malaysia,” a Vopak spokesperson said. "Unauthorized persons have gained access to our data," Vopak confirms. “The incident is under investigation and we apologize for any inconvenience caused.” The company remains operational. Critical business information was allegedly stolen, including about the company's fuel infrastructure and systems.

Reference: Ransomware attack on tank storage company Vopak limited to one location
Reference: Dataleak Vopak
Reference: Vopak hit by ransomware
Victim: Royal Vopak N.V.

Dutch tank storage company Royal Vopak N.V.

Incident: Ransomware Attack at Fiege Logistik Italian sites

Fiege Logistik has fallen victim to a hacker attack. With the Lockbit 3.0 ransomware, criminals stole 259 GB of internal data and published some of it on the dark web. The target was Italy and the affected IT systems there were immediately isolated.

“The Fiege Cyber ​​Defense Center recognized a hacker attack on Fiege Italy early on and responded quickly to the attack. The attack impacts a small part of our logistics centers in Italy. Around 15 percent of Italian business is affected," said Fiege According to Fiege, three locations in Italy were affected by the hacker attack. Two of them have now been able to resume work. The third affected location will also start operations again in the next few days.

Victim: Fiege Logistik

modular solutions for logistics, digital services, real estate and ventures - all driven by one integrated system.

Reference: Hackers attack Fiege Logistik
Reference: Hackers attack Fiege Logistik
Incident: Cyberattack at Puerto Rico’s Water Supply Agency did not Affect Critical Infrastructure

The agency that manages Puerto Rico’s water supply has called in the FBI to investigate a cyberattack that occurred last week. The investigation into the attack on the Puerto Rico Aqueduct and Sewer Authority (PRASA), which was announced on March 19, found that customer and employee information was compromised in the incident. But officials noted that the authority’s critical infrastructure was not affected by the incident due to network segmentation.

The Vice ransomware gang leaked the passports, driver’s licenses and other documents of the impacted individuals.

Victim: Puerto Rico Aqueduct and Sewer Authority (PRASA)

Puerto Rico Aqueduct and Sewer Authority (PRASA)

Reference: FBI, CISA investigating cyberattack on Puerto Rico’s water authority
Incident: ALPHV/Blackcat Reportedly Demands ‘8 figure’ Ransom from Western Digital

On March 26 hackers breached Western Digital's

Hackers breached data storage giant Western Digital internal network and stole company data. They claim to have stolen around 10 terabytes of data from the company, including reams of customer information. The extortionists are pushing the company to negotiate a ransom — of a “minimum 8 figures” — in exchange for not publishing the stolen data.

The ALPHV ransomware operation, aka BlackCat, has published screenshots of internal emails and video conferences stolen from Western Digital, indicating they likely had continued access to the company's systems even as the company responded to the breach Western Digital declined to comment regarding the leaked screenshots and claims by the threat actors.

Victim: Western Digital

Western Digital, leaders in digital storage solutions compatible with Mac and PC.

Reference: Hackers leak images to taunt Western Digital’s cyberattack response
Reference: Hackers claim vast access to Western Digital systems
Reference: Western Digital Provides Update on Network Security Incident
Incident: Renewable Energy Company hep global Target of Cyberattack

hep global GmbH recently became the target of a cyber attack. This was detected immediately. Cooperating closely with authorities and external IT security experts, hep was able to ensure business continuity. The investigation into the cyber attack is still ongoing.

Darkrace ransomware group has claimed responsibility for the hep Global data breach, listing the German renewable energy company as its latest victim

Reference: Hep Global Data Breach: Darkrace Ransomware Group Strikes Renewable Energy Sector
Reference: hep ensures business continuity after cyber attack
Incident: Cyberattack at Electricity Supply Company in Peru

The electricity supply company Sociedad Eléctrica del Sur Oeste (SEAL), in Arequipa, suffered a cyber attack this Monday, April 17. In response to this, the entity reported that the customer service area, virtual channels, collections and parts table; They were suspended until further notice.

SEAL general manager Paul Rodríguez indicated that those who carried out the attack sought to capture and retain information. However, the security system in place did not allow this.

Victim: Sociedad Eléctrica del Sur Oeste (SEAL

electricity supply company Sociedad Eléctrica del Sur Oeste (SEAL), in Arequipa, Peru

Reference: SEAL suffered a cyber attack and suspended all its virtual services
Incident: Ransomware Attack at Indian MPPMC Power Company

Madhya Pradesh Power Management Company (MPPMC) which oversees the management of electricity in the state has been hit by ransomware attack. The state-run entity said on Sunday that it has approached police after a ransomware attack on May 22 that crippled its internal information technology system used for communication among its different functionaries.

A source familiar with the incident told PTI that those behind the ransomware attack had not sought money as yet but had provided email IDs to contact them.

Victim: Madhya Pradesh Power Management Company (MPPMC)

Madhya Pradesh Power Management Company (MPPMC) - oversees the management of electricity in the state Madhya Pradesh, India

Reference: MP power mgmt co hit by ransomware
Reference: Madhya Pradesh power management co’s IT system hit by ransomware attack
Incident: Databreach at German Manufacturer Laremo GmbH

Laremo GmbH was hit by ransomware attack on February 5. A company issued statement on their website states that customer database and financial accounting data were compromised.

The LockBit ransomware group claimed responsibility for the attack and uploaded the company’s data on their dark web site on February 19.

Reference: LockBit 3.0 Ransomware Victim: laremo[.]de
Reference: Laremo Cyber Incident Notice
Victim: Laremo GmbH

German steel special vehicle equipment producer

Reference: Just received an email from @Hyundai_Italia
Incident: Databreach Impacts Italian and French Hyundai Car Owners

Hyundai has disclosed a data breach impacting Italian and French car owners and those who booked a test drive, warning that hackers gained access to personal data. It is unclear how many Hyundai customers this incident impacts, how long the network intrusion lasted, and what other countries might be affected.

BleepingComputer has contacted Hyundai to learn more about the security incident

Victim: Hyundai

Hyundai is a multinational automotive manufacturer selling over half a million vehicles per year in Europe, with a market share of roughly 3% in France and Italy.

Reference: Hyundai data breach exposes owner details in France and Italy
Incident: All Rosenbauer Group Locations Affected by Ransomware Attack claimed by Lockbit

The Rosenbauer Group is currently the target of a cyber attack. As a precautionary measure, parts of the IT infrastructure were switched off. The measures affect all Rosenbauer locations. The Rosenbauer Group is one of the world’s three largest manufacturers of fire-service vehicles and firefighting equipment.

The exact extent and duration of the attack as well as its consequences cannot yet be estimated. An immediately established task force is working with external cybersecurity experts and data forensics to restore system operations safely and as quickly as possible. According to current knowledge, neither customer nor company data was stolen or encrypted. The responsible authorities were called in.

The LockBit 3.0 ransomware group listed the company as one of its victims.

Victim: Rosenbauer Group

The Rosenbauer Group is one of the world’s three largest manufacturers of fire-service vehicles and firefighting equipment, based in Leonding, Austria. Rosenbauer supplies the fire fighting sector in over 100 countries with a wide range of custom fire and rescue apparatus and services

Reference: LockBit 3.0 Ransomware Victim: rosenbauer[.]com
Reference: Cyber ​​attack on Rosenbauer Group
Reference: Suspected ABB hackers are also behind the attack on Bobst
Incident: Operations Disrupted at Machine Manufacturer, Bobst.

Bobst, the Vaud-based machine manufacturer, suffered two targeted cyberattacks over Easter weekend, Emergency measures had to be taken to protect critical IT systems by isolating them. This resulted in production, customer service and research and development operating in degraded mode.

Work gradually resumed at the group's various global sites between April 12 and 18, while the systems were reconnected. The calmer holiday period helped smooth out the impact.

Victim: Bobst Machine Manufacturer

Swiss manufacturer of packaging machines with 6,100 employees around the world

Reference: Bobst resists two computer hacks
Reference: ‘Total system shutdown’ as Ghana hit by countrywide power blackout
Victim: Porsche


Reference: Porsche South Africa suffers ransomware attack
Incident: Cyberattack at German Packaging Manufacturer Storopack

German packaging manufacturer Storopack recorded a cyberattack on March 21. The company was not reachable by email and limited by phone. Its website was unaffected, but its online store was unavailable.

Although there may have been some delays in delivery, Storopack worked at full speed to maintain its ability to deliver. Production and delivery capability were not interrupted at any time.

Reference: Notice of Business Ransomware Attack
Victim: Storopack

German packaging manufacturer Storopack

Incident: Hahn Group Shuts down Network and Systems after Cyberattack

The HAHN Group was attacked by hackers last week. Therefore, all systems were switched off as a precautionary measure.

"As you are aware, on March 17 2023, we suffered a cyber incident affection on our networks and systems. Our IT team responded to this attack quickly and was able to stop it. Among other things, this meant that all systems had to be shut down for security and containment purposes. Since Monday, March 27 2023, we are able to start to ramp-up our operations again. This included re-installation of our infrastructure in a clean environment and leveraging our back-up systems. ....getting everything back online and operational will, we anticipate, continue throughout April."

Reference: Automation specialist affected by cyber attack
Reference: Update | Cyber Attack | 2023/04/06
Victim: HAHN Group,

HAHN Group, an industrial automation and robotics headquartered in Germany,

Incident: Cyberattack at French Manufacturer Groupe SEB

Groupe SEB's IT teams detected an attempt to exploit a vulnerability. After investigations, an intrusion in the Information System has been confirmed. The necessary measures have been taken to limit the effects of this intrusion.

To date, and after extensive research, Groupe SEB has not identified any data leakage or damage to information systems. The incident is currently undergoing a detailed analysis to investigate its origins allowing to reinforce existing security measures.

Reference: A security incident has been detected on one of Groupe SEB’s IT networks, without any material impact on operations.
Victim: Groupe SEB

Groupe SEB, a French manufacturer of household appliances

Incident: Gates Industrial Corporation Temporarily Takes Systems Offline

On February 11, Gates Industrial Corporation plc, a US manufacturer of fluid power and power transmission technology, determined that it was the target of a malware attack. The attack affected certain of the company’s IT systems, and as part of its containment efforts, the company suspended the affected systems and elected to temporarily suspend additional systems. These suspensions resulted in the temporary inability of most of the facilities to produce and ship products.

"Anytime you shut down the majority of operations at a global company, it’s a big deal," an executive says.

Reference: Gates Corporation hit by ransomware
Reference: Gates Corp. recovers from cyberattack that shut down most of its systems
Victim: Gates Industrial Corporation plc

Gates Industrial Corporation plc, a US manufacturer of fluid power and power transmission technology

Reference: Cyber Security Incident
Reference: Press Release
Incident: ALPHV Group Hacks Belgian Secure Access Control Manufacturer, Automation Systems

On June 3, 2023, Belgium’s Automatic Systems uncovered a ransomware attack, which has now been claimed by the notorious ALPHV group. The cybercriminals specifically targeted a segment of the company’s servers, as confirmed by a notification prominently displayed on the company’s homepage.

ALPHV cybercriminals claimed they stole sales data, and logistics information. Moreover, that they had access to confidential documents pertaining to NATO and the procurement of equipment for military companies which had installation schemes, and data about security equipment.

Victim: Automation Systems

Belgium-based Security system supplier

Reference: ALPHV Claims the Automatic Systems Ransomware Attack
Incident: Austrian Laboratory Instruments Manufacturer Hacked via Phishing Emails

The Austrian manufacturer of laboratory instruments and process measuring systems fell victim to a ransomware attack initiated via phishing emails received on April 6.

The website states: "On April 19, the attackers encrypted approximately 10% of the company’s internal PCs and servers. The company immediately took most of its systems and services offline worldwide and worked with the highest priority to get its IT systems up and running again. The cybersecurity incident resulted in the unauthorized disclosure of personal data in some instances. "

The Black Basta ransomware group added Anton Paar to the victim list on its dark web site.

Reference: Information about the April 2023 cybersecurity incident
Malware: Phishing Attack

Phishing Attack

Victim: Anton Paar Group

Austrian manufacturer of laboratory instruments and process measuring systems

Reference: BERNINA International hacked: ALPHV Ransomware Group Strikes the Sewing Machine Manufacturer
Incident: Swiss-based Bernina International Reports Cyberattack

Swiss-based Bernina International AG, a leading manufacturer of sewing and embroidery machines, reported that it fell victim to a cyberattack after being added to the victim list of the ALPHV ransomware group.
The group claim to have gained access to vast data, including customer, client, and employee data, NDA contracts, and drawings.

The attack’s impact has been felt in the company’s offices in Switzerland and Thailand, with tapes and NAS wiped clean. Additionally, the attackers successfully encrypted seven Hyper-V.

Reference: Cyber ​​attack on BERNINA International AG
Victim: Bernina International AG

Swiss-based Bernina International AG, a leading manufacturer of sewing and embroidery machines

Incident: Lighting Manufacturer, Lumila, Announces ‘Massive Ransomware Attack’

French lighting manufacturer Lumila was one of the victims of a ransomware attack on February 3 that targeted several French hosting companies, including Scaleway and OVHCloud. Lumila provides services to the French railways. All services were restored and operational at the time of the announcement [Feb 8].

Victim: Lumila

French lighting manufacturer Lumila, provides services to the French railways

Reference: Press release: Lumila hit by massive ransomware attack
Incident: Sites Down Worldwide after Cyberattack at Stamp Manufacturer

TroGroup, based in Wels, has become the target of a cyber attack. A large part of the Group’s central IT services was temporarily unavailable at numerous locations worldwide. Emergency operations were activated immediately after the incident became known and it was possible to ensure continued service and to avoid any disadvantages for our customers and suppliers in the best possible way. After the immediate preventive shutdown of the system landscape and thorough forensic system analyses, a controlled reconstruction is now underway.

Reference: TroGroup has become the target of a cyber attack
Victim: Trodat, Inc.

Trodat, Inc. is an Austrian multinational company which claims to be the world's largest manufacturer of rubber stamps. Trodat has its company headquarters in Wels, Austria.

Incident: Bartec Top Holding Announces Data Breach

Bartec TOP HOLDING Gmbh disclosed cyber incident on their website: "In the past days, an unauthorized data access attempt was undertaken on parts of BARTEC's IT infrastructure. This attempt was largely prevented by our own security systems. We immediately checked our existing IT infrastructure and have not identified any new attempts at unauthorized data access since then."

The attack was claimed by Hunters International Ransomware Group.

Victim: BARTEC Top Holding GmbH

BARTEC Top Holding GmbH operates as holding company. The Company, through its subsidiaries, provides explosion-resistant switching and signaling gear including stainless steel enclosures and controls, as well as gas detection systems. BARTEC Top Holding serves chemical, petrochemical, and pharmaceutical companies worldwide.

Reference: Information about possible data access
Reference: Hunters International Ransomware Victim: Austal USA
Incident: US DoD Contracted Shipbuilding Company Austal USA Confirms Ransomware Attack

Austal USA confirmed that it suffered a cyberattack and is currently investigating the impact of the incident. a Austal USA is a shipbuilding company and a contractor for the U.S. Department of Defense (DoD) and Department of Homeland Security (DHS). Hunters International ransomware and data extortion group claimed to have breached Austal USA and leaked some information as proof of the intrusion. Austal USA did not share if the threat actor was able to access data about engineering schematics or other proprietary U.S. Navy technology.

Hunters International emerged recently as a ransomware-as-a-service (RaaS) operation. The group is believed to be a rebrand of the Hive ransomware gang, a theory based on overlaps in the malware code.

Threat Actor: Hunters International

Hunters International emerged recently as a ransomware-as-a-service (RaaS) operation and is believed to be a rebrand of the Hive ransomware gang, a theory based on overlaps in the malware code.

The group denied the allegations, though, saying that they are a new operation that purchased the encryptor source code from the defunct Hive. According to the threat actor, encryption is not the end goal of their attacks, as their focus is on stealing data and using it as leverage to extort victims into paying a ransom.

At the moment, the gang's data leak site lists well over a dozen victims in different sectors and from various regions of the world.

Reference: Navy contractor Austal USA confirms cyberattack after data leak
Incident: Florida Water Agency Confirms it Responded to Cyberattack

A regulatory agency in Florida that oversees the long-term supply of drinking water confirmed that it responded to a cyberattack over the last week as the top cybersecurity agencies in the U.S. warned of foreign attacks on water utilities.

A spokesperson for the St. Johns River Water Management District, which works closely with utilities on water supply issues, confirmed that it “identified suspicious activity in its information technology environment” and that “containment measures have been successfully implemented.”

Victim: St. Johns River Water Management District, Florida

St. Johns River Water Management District, Florida.
Most of the work by the St. Johns River Water Management District is centered around educating the public about water conservation, setting rules for water use, conducting research, collecting data, restoring and protecting water above and below the ground, and preserving natural areas.

Reference: Florida water agency latest to confirm cyber incident as feds warn of nation-state attacks
Incident: Phishing Attack at Hershey Company Compromised PI of 2,214 people

A cyberattack that targeted The Hershey Company may have compromised the personal data of 2,214 people, the company revealed in December. The data breach was the result of an email phishing attack. The data that may have been compromised includes first and last names, health and medical information, dates of birth, financial account information, debit and credit card data and related access codes.

Reference: Cyberattack on Hershey Company left hackers with access to personal data
Incident: Ransomware Attack at Central Virginia Transit System

The organization that runs the transit system for central Virginia dealt with a computer network disruption due to a cyberattack around the Thanksgiving holiday. A spokesperson told Recorded Future News that around Thanksgiving they experienced a network disruption that “temporarily impacted certain applications and parts of the GRTC network.”

The Play ransomware gang took credit for the attack and gave GRTC until December 13 to pay an undisclosed ransom.

Victim: Greater Richmond Transit Company (GRTC)

The Greater Richmond Transit Company (GRTC) provides bus and specialized transportation services for millions of people across Richmond, Chesterfield and Henrico Counties.

Reference: Central Virginia transit system affected by cyber incident
Incident: Cyberattack and Potentional Data Breach at Nissan Oceania

Japanese automobile manufacturer Nissan announced that its Australia and New Zealand arm suffered a significant cyber security incident that affected the company’ daily operations. The company informed customers of its Nissan Oceania division of a potential data breach, warning them that there is a risk of scams in the upcoming days. The company did not share details about the attack or its scope. The problems suffered by the company suggest that its systems were infected with ransomware.

The carmaker warned that some dealer systems will be impacted despite local dealerships continue to operate.

Reference: Nissan is investigating cyberattack and potential data breach
Victim: Nissan Oceania

Nissan Oceania is a regional division of the famous Japanese automaker that covers distribution, marketing, sales, and services in Australia and New Zealand.

Reference: Guard against cyber-attacks warning, as UK haulier data appears on ‘dark web’
Incident: Lockbit Ransomware Attack Significantly Impacts Owens Group Operations.

British logistics company Owens Group has reportedly suffered a significant data security incident. Confidential company data and the sensitive personal information of its drivers, employees, and clients was compromised. LockBit ransomware infiltrated its systems. The ransomware attack has had a significant impact on Owens Group’s day-to-day operations. The encryption of critical files and systems has led to disruptions in logistics planning, supply chain management, and communication channels.

LockBit group says it stole over 700 GB of data. Owens’ data included finance information, such as budget, cash flow, balance sheets, tax returns, project calculations and bank statements, as well as client details including addresses, phone numbers, payment information and contracts, and employees’ personal information like passport scans and contracts.

Owens Group has engaged cybersecurity experts to assess the extent of the breach and work towards a resolution. The company is actively involved in restoring its systems and implementing enhanced cybersecurity measures to prevent future incidents.

Reference: Welsh logistic Owens Group impacted by LockBit ransomware
Reference: LockBit group says it stole over 700 GB of data from British logistics company Owens Group
Victim: Owens Group

British logistics company Owens Group

Reference: Most WSF, WSDOT websites back online after cyber attack
Incident: Online Transportation Information Widely Disrupted at WSDOT

A cybersecurity incident on Tuesday has made key parts, including real-time information, of the transportation department’s website inaccessible, causing major disruptions. While some services have been restored, maps and permits are still down.

While the department's basic website and app are still accessible, most real-time information is not. As a result, the outage has caused major disruptions for anyone trying to track the chronically late ferries or navigate mountain passes as winter approaches. Statewide traffic cameras were restored Thursday morning, but the state's travel map, mobile app, ferry vessel watch and online freight permits remain out of service.

Reference: Cyberattack shuts down WA transportation website, bringing confusion, disruptions
Reference: Cyber Attack Downs Washington State’s Transportation Website
Victim: Washington State Department of Transportation

Washington State DOT

Reference: Chinese hackers allegedly target US infrastructure as ‘Volt Typhoon’
Threat Actor: Volt Typhoon

According to Microsoft, a group known as "Volt Typhoon" has been engaged in espionage and collecting information on behalf of the People's Republic of China for at least two years. To avoid detection, the hackers rely on tools that are already installed or integrated into compromised devices, which they manually operate rather than automate. This approach is commonly referred to as "living off the land."

Incident: Chinese Identified Hackers Targeting Hawaii Water Utilities and unidentified Oil & Gas Pipeline in US

Chinese hackers are positioning themselves inside critical US infrastructure by targeting careless office workers in a bid to cause 'societal chaos' from within should war break out.
Beijing's military have burrowed into more than 20 major suppliers in the last year alone including a water utility in Hawaii, a major West Coast port and at least one oil and gas pipeline, analysts have revealed. They have bypassed elaborate cyber security systems by intercepting passwords and log-ins unguarded by junior employees, leaving China 'sitting on a stockpile of strategic' vulnerabilities.

"It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict" stated Brandon Wales, executive director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).

As a result of these cyber concerns, the Biden administration introduced mandatory regulations for industries in the oil and gas pipeline sector in summer 2021. Additionally, the Environmental Protection Agency introduced a directive for states to disclose cyber threats within their public water system evaluations in March. After that, three states filed lawsuits against the administration, alleging excessive regulatory control.

Victim: Unidentified Oil & Gas Pipeline

Unidentified Oil & Gas Pipeline

Victim: Hawaii Water Utility

Hawaii Water Utility

Reference: China’s cyber army is invading critical U.S. services
Reference: Chinese-affiliated hacking groups infiltrated critical American infrastructure, including Hawaii water utility and at least one oil and gas pipeline, US officials say
Incident: No Databreach from Cyberattack at Fulcrum Utility Services in UK

Fulcrum Utility Services Ltd - Sheffield-based multi-utility infrastructure and services provider - Says it has recently managed a cyber security incident, after detecting unauthorized activity on its network. The activity has now ceased and the company's IT systems have been securely reinstated. Adds that the "majority" of its operations were able to continue, however access to managerial and system information has been limited and work is still ongoing to correct this. No data was breached during the cyber attack, Fulcrum notes.

"The Board will provide a further update as and when appropriate," the company says.

Reference: NewsFulcrum Utility Services hit by cyber attack but no data breached
Victim: Fulcrum Utility Services Ltd

Fulcrum Utility Services Ltd - Sheffield-based multi-utility infrastructure and services provider -

Incident: Data Breach at Compass Group Italia

A ransomware-type attack recently hit Compass Group Italia. The company manages numerous canteen services in schools throughout Italy. The data that may have been stolen can be sensitive depending on the company branch involved. Compass Group Italia said the company's operations were not compromised. However, the focus of attention is now on data security, with the company working diligently to ensure that any sensitive information is protected.

The Akira group is suspected to be behind the attack.

Reference: Cyber ​​attack on Compass Group Italia: the data of many school canteens also at risk
Victim: Compass Group

Compass Group plc is a British multinational contract foodservice company headquartered in Chertsey, England.[3] It is the largest contract foodservice company in Europe, ahead of Sodexo, employing over 500,000 people

Incident: Data Breach at Aqualectric Utilities in Curaçao

Aqualectra Utilities witnessed a breach of its digital infrastructure. With data soon to be available for download, the Akira ransomware attack on Aqualectra Utility compromised operational files, business documents, and a plethora of payment records. The breach threatens the security and privacy of over 80,000 households and companies relying on Aqualectra’s water and electricity services.

Reference: Detected: Aqualectra Utility falls victim to Akira Ransomware
Reference: Akira Ransomware Strikes Again: Compass Group Italia and Aqualectra Utility Hit by Data Breach
Victim: Aqualectra Utility

government-owned utility provider in Curacao

Reference: Medical test company’s ‘serious and systemic failures’ led to cyber-attack, watchdog says
Incident: Town Mayor Criticizes Bluewater Health Hospital on Public Dissemination of Ransomware Attack Information.

Bluewater Health appears to be the hardest hit of a group of southwestern Ontario hospitals targeted in the cyber-attack. The affected hospitals said restoration is not expected to be complete until mid-December. Patient records dating back more than 30 years, affecting 267,000 patients, were stolen by last month by hackers. All patients treated at its Sarnia Lambton Hospitals from 1992 onward were affected by the breach. In addition, the social insurance numbers of about 20,000 people were taken.

Bluewater Health has refused to answer questions about the ransomware attack, instead issuing updated statements on its recovery progress.

Reference: Bluewater Health says 250K patients compromised by cyber attack
Reference: ‘This affected everyone’: Sarnia mayor critical of lack of transparency in Bluewater Health cyber-attack
Victim: Bluewater Health

Bluewater Health is a hospital in Sarnia, Ontario. It was opened October 3, 1896 as Sarnia General Hospital and was the community's first public hospital. In 2010, with extensive renovations to the two existing buildings and construction of a third, it was renamed Bluewater Health.

Incident: Blue Waters Bottling Company Operations Affected by Ransomware Attack

Blue Waters Products Limited is the latest local company to fall victim to a cyberattack. Officials of the company, located at Orange Grove Estate, Trincity, confirmed that their operations had been affected by a ransomware attack. They have not yet determined whether the hacker gained access to data and other sensitive company information.

A screenshot of one of the company’s computers shows a ransom notice warning that Blue Waters’ data will be released on the dark web. Blue Waters CEO Dominic Hadeed said company officials are still assessing the cyberattack and have taken the necessary actions. Lockbit3 claimed responsibility for the attack
“Our automated ordering and delivery capabilities are now back to normal,” he said. “Once we know more about how it happened, we will be communicating internally and with our business partners accordingly.”

Reference: LockBit3 takes responsibility for data breach of BlueWaters bottled water and drinks
Victim: Blue Waters Products Limited

Blue Waters Products Limited established in the year 1999 in Trinidad and Tobago is the preferred brand of bottled purified drinking water in the Caribbean.

Reference: Cybercriminals attack Blue Waters
Incident: Data Breach at B&G Foods in January 2023

On Sunday, February 5, 2023, B&G Foods became aware of a systems instrusion by "an unauthorized third party that was conducting indiscriminate cyber-attacks on
businesses world-wide". Employee records were accessed between Jan 23 and Feb 7 : name, address, social security number and/or date of birth. "After we shut down the unauthorized access, we implemented additional security measures designed to prevent a recurrence of such an attack and to protect the privacy of B&G Foods’ valued employees and former employees."

Reference: B&G notice of data breach
Victim: B&G Foods

B&G Foods is an American branded foods holding company based in Parsippany, New Jersey. The company was formed in 1996 to acquire Bloch & Guggenheimer, a Manhattan-based producer of pickles, relish and condiments which had been founded in 1889

Reference: Atlassian urges customers to take ‘immediate action’ to protect against data-loss security bug
Incident: Hackers Exploits Critical Security Hole in Atlassian Software

Software company Atlassian is now saying that a recently disclosed issue is being exploited by hackers using the Cerber ransomware — a ransomware brand thought to be long-defunct. Atlassian CISO Bala Sathiamurthy warned the public on November 3 about the bug, which he said could lead to “significant data loss if exploited.” The company escalated this on November 6, 2023 following evidence of malicious activity, including ransomware attacks.”

The Cerber ransomware operation was active between 2016 and 2019. Several ransomware experts said they had not seen the Cerber ransomware used in years.

Threat Actor: Cerber ransomware operation

The Cerber ransomware operation was active between 2016 and 2019 but was seen in 2021 targeting Confluence instances vulnerable to another bug, CVE-2021-26084. At the time, the hackers behind the 2021 campaign targeted victims in China, Germany, and the U.S., demanding 0.04 bitcoin in exchange for the decryptor.

Several ransomware experts said they had not seen the Cerber ransomware used in years.

Victim: Atlassian Corporation

Atlassian Corporation is an Australian software company that develops products for software developers, and project managers among other groups. The company is domiciled in Delaware, with global headquarters in Sydney, Australia, and US headquarters in San Francisco

Reference: Atlassian confirms ransomware is exploiting latest Confluence bug
Reference: Atlassian hit by Chinese state-linked hackers
Reference: Hacker attack on German energy service provider Ista
Incident: Hamburg Airport Website Disabled by DDoS Attack

Hamburg Airport fell victim to a hacker attack on Wednesday . The company confirmed this in response to an inquiry from the Abendblatt. The website was “not always accessible during the day yesterday,” said airport spokeswoman Janet Niemeyer on Thursday. The reason for this was a massive so-called Distributed Denial-of-Service (DDoS) attack. Websites are usually loaded with so many visits that the servers crash. Only the accessibility of the website was affected, said Niemeyer. She did not say how long the outage lasted. No other airport services or systems were affected.

Victim: Hamburg Airport

Hamburg Airport, Germany

Reference: Hackers paralize the website of Hamburg Airport
Incident: Karlsruhe Public Utility Company Claims to Successfully Fend Off Cyberattack.

Hackers have managed to break into the Karlsruhe public utilities network. The perpetrators are said to have read passwords and spied out other data. The Karlsruhe public utility company claims to have successfully fended off the cyber attack.

The attackers successfully broke into the computer of a high-ranking municipal utility employee on February 1st and searched the system for hours. This was apparently preparations for a ransomware attack, as the criminals left a note mentioning a three-digit million sum. The Karlsruhe public utility company confirms the attack to Spiegel, but claims that its supply-related IT was not affected. According to a company spokesman, the malware was unable to spread. The separate systems of the critical infrastructure were also not infiltrated. There was no encryption by ransomware.

Victim: Karlsruhe Public Utility Company

Karlsruhe Public Utility Company

Reference: Hacker attack on Karlsruhe public utilities
Incident: Filstal Energy Supply (EVF) Affected by DDoS Attack on IT Supplier

The Filstal energy supply (EVF) has been struggling with IT problems for several days. The cause is said to be DDoS attacks on their IT service provider imos. “Unfortunately, since March 13th, there have been recurring temporary restrictions and even outages of our services,” says the Göppingen IT service on March 27..

Reference: Network attack on IT service provider of the Filstal energy supply
Victim: Filstal energy supply (EVF)


Incident: German Cloud Service Provider Hacked

The hosted exchange of the German provider United Hoster suffered a ransomware attack on Saturday (May 20th). "As part of an internal investigation, it was determined that an attacker exploited an unknown vulnerability in Microsoft Exchange to gain access to the Exchange Server," a company spokesman told heise online

United Hoster is building a new Microsoft Exchange environment into which customers will eventually be migrated so that they can receive the full range of functions again. The company does not provide information about the number of affected customers or mailboxes, as this is a business secret. It is also unclear when United Hoster expects to restore services in the new structure. The company spokesman did not specify which Exchange security gap the attackers were able to abuse.

Victim: United Hoster

United Hoster German cloud service provider

Reference: Ransomware attack: Hosted Exchange by United Hoster offline [translated]
Reference: Ransomware attack on United Hoster
Incident: German Biogas Register Offline Due to Cyberattack

The hosting service provider of the German Energy Agency Dena has fallen victim to a ransomware attack. This led to a failure of the biogas register. All systems were immediately switched off.

Dena has decided to set up the biogas register system on the servers of another external data center operator. “This serves as a safeguard in case the existing server structure could no longer be used,” it says.

Reference: German biogas register offline due to cyber attack
Victim: Deutschen Energie Agentur, Dena

The Biogas Register Germany is a platform for standardised and simple documentation of evidence of biogas quantities and qualities in the natural gas grid.

Incident: Dutch Electromagnet Manufacturer Kendrion hit by Cyberattack

The control technology manufacturer Kendrion was hacked. An unauthorized third party gained access to the company's network. The company took all of its systems offline and to keep operations running, relies on an emergency plan. Based on the current status of the investigation, it cannot be ruled out that the perpetrator also obtained company data.

Kendrion location in Malente was also affected by the attack. Development and sales are currently at a standstill, production could continue. Kendrion has sent home most of the 300 employees in Malente.

Kendrion issued a statement on September it had "fully resumed all operations. The incident has had no significant impact on our customer deliveries and is not expected to have a material impact on the company’s financial results."

Reference: Dutch Magnet Manufacturer Kendrion Hit by LockBit Ransomware Attack
Reference: Kendrion fully resumed operations after cyber security incident
Reference: Hacker attack on Kendrion [translated]
Incident: German Hochsauerland Water and Energy Utilities Ward off Consequences of Cyberattack

The utilities HochsauerlandWasser and HochsauerlandEnergie were hit by a hacker attack. Customer service “out of operation” for several days. The monthly payments for drinking water, electricity and natural gas deliveries due in October will be collected at a later date.

Neither the supply of drinking water nor the supply of electricity and gas were affected or endangered by the hacker attack at any time.

Victim: HochsauerlandWasser and HochsauerlandEnergie utilities

The utilities HochsauerlandWasser and HochsauerlandEnergie

Reference: Hacker attack on water and energy suppliers
Incident: Cities and Municipalities in North Rhine-Westphalia Offline after Cyberattack

The municipal service provider Südwestfalen IT (SIT) said it was hit by a ransomware attack on the night from Sunday to Monday (October 30). In order to contain the attack, all connections to the data center were severed. This affects 72 member municipalities in South Westphalia. As the regional newspaper Sauerland Kurier reports, it is assumed in the Hochsauerland district that the IT failure will last several days. Most administrations can only be reached by telephone because email traffic is also affected, the report says.

Reference: Hacker attack causes administrative failure in NRW
Victim: Südwestfalen IT

German municipal service provider Südwestfalen IT

Incident: Cyberattack paralyzes systems at Bauer Group AG

The Bavaria-based civil engineering specialist, Bauer Group, was the victim of a cyber attack. Various systems were shut down or switched off as a precautionary measure. The websites were still down on Wednesday. This results in restrictions for the business partners of Bauer companies worldwide.

Update 10 Nov:
Following the attack on the IT infrastructure, the Group’s business can continue in most areas, even with restrictions in one place or another. “Our construction sites in the Geotechnical Solutions and Resources segments are continuing to operate, we can also deliver equipment and Sales and Materials Management can also continue to work. To this end, we have switched many digital processes back to manual processes over the past week. Our solvency has also not been affected by the attack,” says Peter Hingott, Executive Board member of BAUER AG.

However, as there are individual areas of the company that are severely restricted, such as machine production and associated teams, the response in these areas is to reduce working hours and bring forward vacations. There are also plans to use short-time working for these areas where necessary. “What we have achieved in the last two weeks is a great achievement." "We continue to ask our business partners for understanding and patience if there are currently delays or problems in our cooperation,” says Peter Hingott.

Reference: BAUER Group became target of an attack on IT infrastructure
Reference: Hacker attack on Bauer AG [translated]
Victim: Bauer AG

The BAUER Group is a leading provider of services, equipment and products related to ground and groundwater. The Group operates a worldwide network on all continents. The operations are divided into three future-oriented segments with a high potential for synergy: Geotechnical Solutions, Equipment and Resources.

Incident: Cyberattack Disrupt Operations at North Texas Water Utility

A water utility in North Texas is dealing with a cybersecurity incident that caused operational issues. North Texas Municipal Water District (NTMWD) provides wholesale water, wastewater and solid waste management services to more than 13 cities in the state. Alex Johnson, director of communications for NTMWD, told Recorded Future News that they recently detected a cyberattack affecting their business computer network.

“Most of our business network has been restored. Our core water, wastewater, and solid waste services to our Member Cities and Customers have not been impacted by this incident. We continue to provide those services as usual,” Johnson said. “Our phone system was also affected by this incident, and we hope to have it back online this week.

Victim: North Texas Municipal Water District (NTMWD)

With more than 850 employees, North Texas Municipal Water District (NTMWD) provides wholesale water, wastewater and solid waste management services to more than 13 cities in the state, including Plano and Frisco.

Reference: One of North Texas Largest Water Suppliers is Latest Victim of Cyberattack
Reference: North Texas water utility serving 2 million hit with cyberattack
Incident: Killnet Launches DDoS Attacks on EUROCONTROL Website

EUROCONTROL has confirmed that its website has been under attack since April 19 when pro-Russian hackers claimed responsibility for the disruption. This attack has since caused interruptions to the website and web availability. The cyberattack did not disrupt any flight operation.

Russia’s KillNet group claimed to be behind the last weekend a DdoS attack targeting Eurocontrol, the European air traffic control organization. A DDoS attack on EUROCONTROL's website could have serious repercussions, with the potential to disrupt air traffic control across Europe.


EUROCONTROL is a European organization responsible for managing air traffic control across the continent. Coordinating commercial traffic between 41 states, which include the EU and their national air-traffic control systems. Based in Brussels, Belgium

Reference: EUROCONTROL’s Website Attack And Ongoing Cybersecurity Implications
Reference: Eurocontrol hit by a cyberattack
Incident: Toyota T-Connect Source Code Exposed on Github for 5 Years

Toyota Motor Corporation customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years. The T-Connect site source code was mistakenly published on GitHub. The code contained an access key to the data server that stored customer email addresses and management numbers.

Toyota T-Connect is the automaker's official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle's infotainment system.

Reference: Toyota discloses data leak after access key exposed on GitHub
Incident: Toyota Databreach for Ten Years Exposes Car Location Data of over 2M Customers

Toyota Motor Corporation disclosed a data breach on its cloud environment that exposed the car-location information of 2,150,000 customers for ten years, between November 6, 2013, and April 17, 2023. "It was discovered that part of the data that Toyota Motor Corporation entrusted to Toyota Connected Corporation to manage had been made public due to misconfiguration of the cloud environment," reads the notice (machine translated). No customers are believed to be at risk of criminals tracking down a user’s car, as they would be difficult to track without knowing a target vehicle’s VIN.

This incident exposed the information of customers who used Toyota's in-car smart service T-Connect for voice assistance, customer service support, car status and management, and on-road emergency help between January 2, 2012, and April 17, 2023.

Victim: Toyota Motor Corporation

Toyota Motor Corporation

Reference: Toyota: Car location data of 2 million customers exposed for ten years
Reference: Toyota data breach exposes 10 years’ worth of data for over 2m customers
Reference: Honolulu Handi-Van Servers Hit By A Cyberattack, Forcing Passengers To Rebook Rides
Victim: Port Authority of Groningen

Groningen The Netherlands

Victim: Port Authorities in The Netherlands

Port Authority Rotterdam, Groningen, Amsterdam, and Den Helder

Reference: Dutch ports’ websites offline for hours, days due to pro-Russian cyber attacks
Incident: DDoS Attack Took Down the North Sea Port Website

A DDoS attack took down the North Sea Port website, the company that operates the ports of Vlissingen and Terneuzen in Zeeland, and the Gent port in Belgium. The website was inaccessible for several hours, starting at 8:30 a.m. on Tuesday.

By early afternoon, the attack had been repelled, and the site was up and running again. Work in the port continued as usual, those systems were not affected.

Victim: North Sea Port

North Sea Port operates the ports of Vlissingen and Terneuzen in Zeeland, Netherlands and the Gent port in Belgium.

Reference: Zeeland port website hit by DDOS attack, possibly by Russian hackers
Incident: Dutch Port Authority Websites Bombarded With a DDoS Attack

The Port of Rotterdam, the largest seaport in Europe, reportedly suffered a major cyberattack that knocked off its official website for hours. According to Dutch news agency RTL Nieuws, a group of pro-Russian hackers targeted the Port of Rotterdam’s website and bombarded it with a DDoS attack. The websites of several other Dutch ports, including Groningen, Amsterdam, and Den Helder were also targeted by the threat actors.

While the official websites of the port authorities in Rotterdam, Amsterdam, and Den Helder were offline for several hours, the Groningen Seaport website was offline for the entire weekend. “For us, the website is important because we can inform the public, but we are not dependent on the website,” a spokesperson for the Port of Rotterdam said.

Port authorities also said that no other internal systems were affected by the attack and systems used for handling shipping were not impacted.

The Dutch National Cyber Security Centre repo

Reference: Pro-Russia Hacker Group Claims Major DDoS Attack On The Port Of Rotterdam
Reference: Pro-Russia Hacker Group Claims Major DDoS Attack On The Port Of Rotterdam
Incident: Former Employee Indicted for Water Treatment Plant Attack in CA

A former employee of Discovery Bay Water Treatment Facility in California was indicted by a federal grand jury for intentionally attempting to cause malfunction to the facility’s safety and protection systems. Rambler Gallo, 53, was a full-time employee of a private Massachusetts company under contract with Discovery Bay to operate the town’s water treatment facility. He had an “instrumentation and control tech” role, which he fulfilled between July 2016 and December 2020.

The indictment alleges that Gallo had installed remote control software on his employer’s systems and also his personal computer, which enabled him to monitor instrumentation readings and control the electromechanical processes of the facility.

Victim: Discovery Bay Water Treatment Facility

Discovery Bay Water Treatment Facility in California

Reference: Former employee charged for attacking water treatment plant
Incident: Attack on Swedish medical technology provider disrupts municipal British ambulance services.

Attack on Swedish medical technology provider disrupts municipal British ambulance services.
Swedish healthcare and medical technology provider Ortivus disclosed a cyber incident that took place on July 18, which affected UK customers using their cloud-hosted MobiMed ePR electronic patient record system. The UK National Health Service (NHS) confirmed the intrusion impacted the ambulance services in several parts of the country, preventing access to patient medical histories by ambulance crews.

Victim: Ortivus

Swedish healthcare and medical technology provider Ortivus

Reference: Cyber attack affects two south England ambulance services
Reference: British ambulances unable to access patient records system following cyberattack
Incident: Cyberattack Affects Platform used by 12 Government Ministries in Norway

The Norwegian government is warning that its ICT platform used by 12 ministries has suffered a cyberattack after hackers exploited a zero-day vulnerability in third-party software.

This platform is used by twelve ministries in the country, except for the Prime Minister's Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs. The hackers might have accessed and/or exfiltrated sensitive data from the ICT system, leading to a data breach.

Despite the compromised platform's critical role in the government's daily operations, the recent cyberattack will not necessitate a halt in work activities.

Victim: Norwegian Government

Norwegian Government

Reference: Norwegian government IT systems hacked using zero-day flaw
Incident: Widespread System Outages after Cyberattack at Bermuda Government

A major cyberattack has hobbled government operations in Bermuda, with officials struggling to restore service. “It is clear that this was a sophisticated and deliberate attack that has resulted in unprecedented stress on basic government systems,” Premier David Burt said. The resulting widespread internet outages affected all government agencies and more.

"After the attack that the government is slowly restoring operations after being hit by a “very sophisticated” cyberattack a week ago. An in-depth forensic audit is underway to determine how the attack occurred, and so far, experts have not uncovered evidence that sensitive data was stolen:", Premier David Burt said. He declined to say whether it was a ransomware attack.

All systems were immediately taken offline, and network use was strategically abandoned. The Government’s focus has been on safely restoring system functionality, particularly those systems that support providing services to the public.

Victim: Government of Bermuda

Government of Bermuda

Reference: Cyber-Attack Update from Premier David Burt JP, MP
Reference: Bermuda’s premier attributes system outages to ‘Russia-based’ attackers
Reference: Bermuda premier says ‘sophisticated and deliberate’ cyberattack hobbles government services
Reference: ‘Redfly’ hackers infiltrated power supplier’s network for 6 months
Incident: Databreach at European Telecommunications Standards Institute (ETSI)

On 27 September 2023 the European Telecommunications Standards Institute (ETSI) reported that hackers have stolen a database identifying its users.
It is not yet clear whether the attack was financially motivated or if the hackers had intended to acquire the list of users for espionage purposes.

Following the incident, ETSI, which is based in the Sophia Antipolis technology park in the French Riviera, said it brought in France’s cybersecurity agency ANSSI “to investigate and repair the information systems.” The nonprofit said the “vulnerability on which the attack was based has been fixed,” although it did not identify the vulnerability.

Victim: European Telecommunications Standards Institute (ETSI)

European Telecommunications Standards Institute (ETSI) based in the Sophia Antipolis technology park in the French Riviera

Reference: Hackers steal user database from European telecommunications standards body
Reference: Cyber attack on ETSI
Incident: Spanish Aerospace Company targeted by North Korean Lazarus Gang

Hackers connected to a notorious group within the North Korean government launched an attack against an aerospace company in Spain, according to researchers at security company ESET. In a report on Friday, researchers said they discovered a campaign by hackers connected to Lazarus — an infamous group that has stolen billions from cryptocurrency firms over the last two years.

The North Korean 'Lazarus' hacking group targeted employees of an aerospace company located in Spain with fake job opportunities to hack into the corporate network using a previously unknown 'LightlessCan' backdoor. The hackers utilized their ongoing "Operation Dreamjob" campaign, which entails approaching a target over LinkedIn and engaging in a fake employee recruitment process that, at some point, required the victim to download a file.

Employees of the unnamed company were sent messages on LinkedIn from a fake Meta recruiter and tricked into opening malicious files that purported to be coding quizzes or challenges. When opened, the files infect a victim’s device with a backdoor that would allow the hackers to conduct espionage, according to ESET.

Malware: LightlessCan malware

The LightlessCan backdoor: ESET says LightlessCan is a successor to BlindingCan, based on source code and command ordering similarities, featuring a more sophisticated code structure, different indexing, and enhanced functionality.

The malware replicates many native Windows commands like ping, ipconfig, netstant, mkdir, schstasks, systeminfo, etc., so it can execute them without appearing in the system console for better stealthiness against real-time monitoring tools. Since those commands are closed-source, ESET comments that Lazarus has either managed to reverse engineer the code or drew inspiration from the open-source versions. Another interesting aspect reported by ESET is that one of the LightlessCan payloads they sampled was encrypted and could only be decrypted using a key dependent on the target's environment.

This is an active protection measure to prevent outside access to the victim's computer, for example, by security researchers or analysts.

This discovery underscores that Lazarus' Operation Dreamjob is not solely driven by financial objectives, such as cryptocurrency theft, but also encompasses espionage goals.

Victim: Unidentified Spanish Aerospace company

Unidentified Spanish Aerospace company

Reference: Lazarus hackers breach aerospace firm with new LightlessCan malware
Reference: North Korean gov’t hackers targeted aerospace company in Spain
Incident: Iranian Linked Cyber Gang Shut down Aliquippa Drinking Water Supply Line Pump

The Municipal Water Authority of Aliquippa said on Saturday that one of their booster stations had been hacked by an Iranian-backed cyber group.
Matthew Mottes, the chairman of the board of directors for the Municipal Water Authority of Aliquippa, confirmed to KDKA-TV that the cyber group, known as Cyber Av3ngers, took control of one of the stations. An alarm went off as soon as the hack had occurred. Mottes added that the station, located on the outskirts of town, monitors and regulates pressure for Raccoon and Potter Townships. He stressed that there is no known risk to the drinking water or water supply. The machine that was hacked uses a system called Unitronics, which is software or has components that are Israeli-owned.

Aliquippa workers disabled the affected equipment and are currently working on back up methods of maintaining water pressure to the communities.

Threat Actor: Cyber Av3ngers

Iranian-backed Cyber Av3ngers Hacktivist group has been active since at least 2020.

Victim: Municipal Water Authority of Aliquippa, PA

The Municipal Water Authority of Aliquippa, PA

Reference: Iranian Linked Cyber Army Had Partial Control of Aliquippa Water System
Reference: Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group
Incident: Employee of Taiwanese D-Link Falls for Phishing Leading to Data Breach

D-Link Corporation, a Taiwanese networking equipment, confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month.
The intrusion vector was likely an employee who unintentionally fell victim to phishing. The attacker claims to have stolen source code for D-Link's D-View network management software, along with millions of entries containing personal information of customers and employees, including details on the company's CEO.

Victim: D-Link

Taiwanese networking equipment manufacturer D-Link

Reference: D-Link confirms data breach after employee phishing attack
Reference: NoName Hacker Group Goes on Rampage, Targets German Government and Ministries
Victim: Geneva Airport

Geneva Airport, Switserland

Reference: Pro-Russian hackers step up attacks against Swiss targets, authorities say
Incident: DDoS Attack Caused Brief Disruption at German weapons manufacturer Rheinmetall

The Russian hacker group has today targeted the German weapons manufacturer Rheinmetall with a DDoS attack. Rheinmetall’s website was briefly unavailable on the morning of 28 March. Access was later restored.

Rheinmetall is expected to provide Ukraine with ammunition and weapons, such as tanks, which prompted the Russia-affiliated hackers to target the company.

Reference: NoName Hacker Group Targets German Weapons Manufacturer Rheinmetall with DDoS Attack
Incident: Ukrainian Hacktivists Temporarily Disabled Internet Services in some Russia Occupied Territories

Ukrainian hackers have temporarily disabled internet services in parts of the country’s territories that have been occupied by Russia. The group of cyber activists known as the IT Army said on Telegram that their distributed denial-of-service (DDoS) attack took down three Russian internet providers — Miranda-media, Krimtelekom, and MirTelekom — operating in the territories.

Early on Friday, Russian internet operators confirmed that they had experienced an “unprecedented level of DDoS attacks from Ukrainian hacker groups,” temporarily disrupting their operations. The attack affected services such as cellular networks, phone calls, and internet connections.

Victim: Russian internet providers — Miranda-media, Krimtelekom, and MirTelekom

Russian internet providers — Miranda-media, Krimtelekom, and MirTelekom

Reference: IT Army Ukrainian Hacktivist Group Hit ISPs in Occupied Territories
Reference: Ukrainian hackers disrupt internet providers in Russia-occupied territories
Incident: Cyberattack Causes Widespread Disruption for Lyca Mobile Customers

Lyca Mobile, a British telecom company, faced a network disruption due to a cyber attack over the weekend of September 30 - October 1.
“The issues affected all Lyca Mobile markets apart from the United States, Australia, Ukraine and Tunisia,” the company said. The attack prevented customers and retailers from accessing top-ups. National and international calling was impacted and it raised concerns about potential customer data compromise.

Reference: Lyca Mobile blames cyberattack for network disruption
Victim: Lyca Mobile

Lyca calls itself the world's largest international mobile virtual network operator with over 16 million customers. They offer pay-as-you-go SIM cards across 23 countries in Europe, Africa and Asia. Based in UK

Reference: Lyca Mobile Services Significantly Disrupted by Cyberattack
Reference: Cyberattack on British telecom Lyca prevented customers from making calls, topping up
Reference: Bangladesh hacktivists target critical infrastructure in India, Israel, and Australia
Reference: Bangladesh hacktivists target critical infrastructure in India, Israel, and Australia
Incident: Large Scale DDoS Attacks at Italian Airports

Mysterious team Bangladesh , a criminal hacker group that has attracted attention in the past for attacks especially against Indian and Israeli sites, targeted three Italian airports: those of Valle d'Aosta, Calabria and Puglia .

The attacks are of the DDoS (Distributed denial of service) type and have caused slowdowns on the sites. The Italian Cybersecurity Agency, as far as we know, has alerted the subjects potentially affected by the offensive: airports and, more generally, providers of essential services.

“Aeroporti di Puglia communicates that the analyzes carried out did not reveal any compromises to the functioning of the web services which are still regularly online”. Nor was there any damage to the computer systems of the various airports, so everything is proceeding regularly both in Bari Palese, Foggia and Brindisi.

Since the beginning of the Hamas-Israel crisis, there is also an increase in activity on the web, with the participation - among others - of hacktivists such as those of the Mysterious team Bangladesh appear to be: groups who carry forward a political message with their actions.

Threat Actor: Mysterious Team Bangladesh

Research by the cyber security firm Group-IB shows that the gang is actively targeting critical infrastructure in countries outside Bangladesh. It has already carried out over 750 Distributed Denial of Service (DDoS) and more than 70 website defacements in 2023.

Mysterious Team Bangladesh was founded by a threat actor with the nickname D4RK TSN in 2020 and is associated with Bangladesh. The motivations behind most of the gang’s attacks are religious and political. The group’s activity peaked in May 2023 when it announced a large-scale campaign against India.

Reference: Mysterious team Bangladesh attacks Italy, alert issued by ACN and 007 towards 3 Italian airports
Incident: BlackCat Allegedly Attacked Drone Systems Partner of NASA, Airbus

Unmanned drone systems maker, Autonomous Flight Technologies (AFT), has allegedly fallen victim to a cyberattack orchestrated by the notorious BlackCat ransomware group. The attackers claimed the Autonomous Flight Technologies data breach and purportedly sold exfiltrated data to an undisclosed foreign entity.

AFT, recognized for its cutting-edge unmanned drone technology, boasts prominent partnerships with industry giants such as Airbus, NASA, NBC, and Northrop Grumman. As the Autonomous Flight Technologies data breach remains unconfirmed, the industry awaits an official response from AFT while grappling with the broader implications of cybersecurity vulnerabilities in the rapidly advancing field of unmanned autonomous systems.

Victim: Autonomous Flight Technologies (AFT)

AFT, recognized for its cutting-edge unmanned drone technology, boasts prominent partnerships with industry giants such as Airbus, NASA, NBC, and Northrop Grumman.

Reference: NASA, Airbus Partner Autonomous Flight Technologies Targeted by BlackCat
Reference: Drone Systems Maker Autonomous Flight Technologies Targeted by BlackCat Ransomware
Incident: Cyberattack Disrupts Paris Wastewater Operations

The organization that manages wastewater for nine million people in and around Paris was hit with a cyberattack on Friday. Service public de l'assainissement francilien – known by its acronym SIAAP — manages nearly 275 miles of pipes throughout four French departments. IT teams have worked since Wednesday to secure industrial systems and close off all external connections in order to prevent the attack from spreading.

Officials said they have prioritized measures that allow them to “maintain the continuity of the public sanitation service for Ile-de-France residents.”

“The SIAAP crisis unit remains mobilized to manage the aftermath of this attack and support the continuity of the work of all of its agents from this week in a working environment largely degraded by the current situation,” they said, according to a machine translation of the statement.

“This mobilization will continue until a return to normal can be ensured.”

The organization has set up local systems to answer any questions from the public and said they are in constant communication with various government agencies about the situation.

Reference: Cyberattack targets Paris wastewater management organization
Victim: Service public de l’assainissement francilien – SIAAP

Paris wastewater agency: Service public de l'assainissement francilien – known by its acronym SIAAP — manages nearly 275 miles of pipes throughout four French departments.

Reference: Greater Paris wastewater agency dealing with cyberattack
Reference: Simpson Manufacturing Takes Systems Offline Following Cyberattack
Incident: Cyberattack cripples Operations at Ace Hardware in US

Cyberattack cripples Ace Hardware’s internal systems, resulting in shipment delays, suspended online orders.

According to a notice that Ace President and CEO John Venhuizen sent to retailers and customers on Sunday evening, the incident occurred on the morning of October 29 and affected most of the organization’s operating systems.

“ACENET, our Warehouse Management Systems, the Ace Retailer Mobile Assistant (ARMA), Hot Sheets, Invoices, Ace Rewards and the Care Center’s phone system have been interrupted or suspended,” reads a copy of the notice, shared on Reddit.

The company informed Ace members that shipments were disrupted and that deliveries were delayed, urging customers to refrain from placing further orders.

Victim: Ace Hardware

Ace Hardware has more than 5,600 locally owned and operated hardware stores across roughly 70 countries.

Reference: Cyberattack Disrupts Ace Hardware’s Operations
Incident: Japanese Bicycle Manufacturer Shimano hit by Lockbit Gang

World-leading bicycle part manufacturer Shimano has suffered a major cyber attack. 4.5 terabytes of sensitive data breached including employee passport data, financial documents and confidential diagrams.

LockBit gave Shimano a 5 November deadline to pay ransom, to which it appears Shimano refused to pay, as the hacking group has listed the company’s data as published. Shimano is yet to issue a statement on the breach, but responding to media inquiries, the company said: “This is an internal matter at Shimano, and we cannot comment on anything at this time.”

Reference: Shimano hit by ransomware attack
Reference: Shimano faces threat of massive data breach by LockBit ransomware group
Victim: Shimano

World-leading bicycle part manufacturer Shimano in Japan

Reference: LockBit strikes at bicycle giant Shimano, steals 4.5TB of data
Reference: Boeing Confirms Cyber Incident Following Ransomware Attack Report
Reference: Infy subsidiary in US hit by ransomware
Incident: Cyberattack Disrupts Systems at Infosys McCamish Systems

Infosys McCamish Systems, a subsidiary of India-based IT services giant Infosys Ltd. (NYSE: INFY), experienced a cyberattack. The company reported the incident in a regulatory filing on 3 November.

“Infosys McCamish Systems (IMS), a subsidiary of Infosys BPM Limited (a wholly owned subsidiary of Infosys Limited), has become aware of a cybersecurity event resulting in non-availability of certain applications and systems in IMS,” according to the filing.

“Data protection and cybersecurity are of utmost importance to us,” the statement continued. “We are working with a leading cybersecurity products provider to resolve this at the earliest and have also launched an independent investigation with them to identify potential impact on systems and data.”

Victim: Infosys McCamish Systems

Infosys McCamish Systemsprovides business process outsourcing in the insurance space.

Incident: Yanfeng cyberattack disrupts production at Stellantis

A cyberattack that hit automotive parts production at Yanfeng International Automotive Technology in the US this week has had a knock-on effect at Stellantis, with the carmaker forced to halt assembly on certain lines.

In a short statement Stellantis said: “Due to an issue with an external supplier, production at some North America assembly plants has been disrupted. We are monitoring the situation and working with the supplier to mitigate any further impact to our operations.”

The carmaker said it would not provide information on affected plants or any other details. There has been no comment from Yanfeng.
Yangfeng manufactures key parts like seats, interiors, and electronics, among other components. Yanfeng also supplies General Motors but the carmaker has not yet said if it will have any impact on its current production schedule.

Reference: Yanfeng cyberattack disrupts production at Stellantis
Victim: Yanfeng Automotive Interiors

Yanfeng Automotive Interiors, Chinese global supplier to automanufacturing industry

Victim: Stellantis N.V

Stellantis, Dutch automotive company

Stellantis N.V. is a multinational automotive manufacturing corporation formed from the merger of the Italian–American conglomerate Fiat Chrysler Automobiles and the French PSA Group. The company is headquartered in Amsterdam.

Reference: Stellantis Production Stalled Over Cyberattack
Incident: Hacktivists Attack on Israel’s Rail Network

The Cyber Avengers hacker group reveals information showing that it targeted the Israeli railroad system's electrical infrastructure. Israeli media reported that "Israel's" railroad network has been targeted by a cyberattack. The Cyber Avengers hacker group has revealed information showing that it targeted the Israeli railroad system's electrical infrastructure.

Since 2020, the Cyber Avengers has hacked into and carried out numerous cyberattacks against the Israeli railroad systems, as per their Telegram channel. The group warned that if the Israeli occupation continues to pursue its crimes, it would deliver dreadful blows to Israeli infrastructure.

Victim: Israel Rail System

Israel Rail System

Reference: Israeli Rail System Comes Under Cyberattack
Reference: ‘Israel’s’ railroad network targeted by cyberattack: Israeli media
Incident: NoName Hits Swiss Governments and Rail sites with DDoS Attack

Swiss federal government websites and the online portal of the Swiss Federal Railways have been victims of malicious online attacks. Several websites of the federal administration are currently unavailable, Swiss public radio, SRF, reported on Monday.

According to the finance ministry, the sites were hit by a so-called DDoS attack, which aims to overload websites and applications with targeted requests so that they are no longer accessible. No data is lost in a DDoS attack.

The pro-Russian hacker group “NoName” has claimed responsibility for the attack on the federal government on its own Telegram channel, Tages-Anzeiger newspaper said. This group was also behind the attack on the Swiss parliament website (www.parlament.chExternal link) last week.

Victim: Swiss federal government

Swiss federal government

Victim: Swiss Federal Railways

Swiss Federal Railways

Malware: DDoS Attack

DDoS Attack

Reference: Swiss government and Federal Railways hit by cyberattacks
Victim: Canadian National Railway

Canadian National Railway

Incident: German Pump Manufacturer Down for 7 Days after Cyberattack

In February 2022, Kracht GmbH was attacked by unknown perpetrators, and important systems were brought to a halt. Systems were up and running again in seven days. The entire IT system was reorganized so the workforce could quickly return to day-to-day business.

"It was a worst case scenario, as unknown offenders managed to override our sophisticated security systems. We decided not to negotiate with the offenders." states Peter Schilg, Head of IT, Kracht GmbH


Reference: Kracht – Bechtle forensics restores the IT.
Reference: Cyber ​​attack on pump manufacturers: unknown people blackmail company in MK
Victim: Kracht GmbH

Kracht GmbH in Werdohl is a leading German technology provider for pumps, fluid measurement, valves, hydraulic drives and customized system solutions. About 450 employees worldwide design, produce and sell the products.

Incident: Medusa Ransomware Gang Demands $8M Ransom from Toyota

Toyota Financial Services (TFS) has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company. The Medusa ransomware gang listed TFS to its data leak site on the dark web, demanding a payment of $8,000,000 to delete data allegedly stolen from the Japanese company. The threat actors gave Toyota 10 days to respond, with the option to extend the deadline for $10,000 per day. While Toyota Finance did not confirm if data was stolen in the attack, the threat actors claim to have exfiltrated files and threatened that the data will be leaked if a ransom is not paid.

Reference: Toyota confirms breach after Medusa ransomware threatens to leak data
Victim: Toyota Financial Services, subs. of Toyota Motor Corp

Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global entity with a presence in 90% of the markets where Toyota sells its cars, providing auto financing to its customers.

Reference: Toyota Confirms Breach After Medusa Ransomware Threatens to Leak Data
Incident: Longbeach, CA Declares State of Emergency after Cyberattack

The City of Long Beach in the US state of California suffered a significant network security incident. The attack forced officials to take several of its systems offline and announce a state of emergency.

All public safety systems, including the Emergency Communications Centre and emergency response from Police and Fire haven’t been impacted by the cyber attack. Systems connected to the network were taken offline out of an abundance of caution to mitigate the impact of the cyber attack.

Victim: CIty of Longbeach, CA

CIty of Longbeach, CA

Reference: California’s City of Long Beach declares a state of emergency to respond to a major cyber attack
Reference: Estes commits to more technology spending after October cyberattack
Reference: Rhysida ransomware gang claims British Library cyberattack
Incident: British Library Systems Disrupted for Weeks after Ransomware Attack

In late October, the British Library first disclosed it was experiencing an unspecified cybersecurity incident that caused a “major technology outage” across its sites in London and Yorkshire, which downed its website, phone lines, and on-site services, such as visitor Wi-Fi and electronic payments.

Two weeks on, and the British Library outage is still ongoing. However, the organization has now confirmed the disruption is the result of a ransomware attack launched “by a group known for such criminal activity.” The British Library said that some internal data has leaked online, which “appears to be from our internal HR files.”
The British Library said in its latest statement that it could take weeks, or possibly even longer, for it to recover from the ransomware attack.

Victim: British Library

Great Britain's National Library

Reference: British Library confirms data stolen during ransomware attack
Reference: Yamaha Subsidiary Hit In Ransomware Attack
Reference: Yamaha Motor Confirms Data Breach Following Ransomware Attack
Incident: Data Breach at Idaho National Labs

Federal research center, Idaho National Laboratory (INL), experienced a massive data breach Sunday night, leading to the leak of employee addresses, Social Security numbers, and bank account information.
The breach is under investigation and federal law enforcement is involved, said INL media spokesperson Lori McNamara. INL is part of the United States Department of Energy (DoE). Historically, the lab has been involved with nuclear research, although the laboratory does other research as well. Battelle Energy Alliance for the DoE’s Office of Nuclear Energy manages INL.

Reference: Idaho National Labs Suffers Data Breach
Victim: Idaho National Laboratory

INL is part of the United States Department of Energy (DoE). Historically, the lab has been involved with nuclear research, although the laboratory does other research as well. Battelle Energy Alliance for the DoE’s Office of Nuclear Energy manages INL.

Incident: Ransomware Attack at Kyocera

Kyocera AVX (KAVX) Components Corporation suffered a ransomware attack in March on servers in its Greenville and Myrtle Beach, South Carolina locations that temporarily disrupted operations and resulted a breach of over 39,000 people, company officials said.
Upon learning of the incident, the company launched an investigation into the attack and hired an outside third party cybersecurity expert and notified law enforcement. KAVX is an American manufacturer of advanced electronic components and a subsidiary of the Japanese semiconductor giant Kyocera. Kyocera Corporation is a Japanese multinational ceramics and electronics manufacturer headquartered in Kyoto, Japan.

Reference: Kyocera AVX says ransomware attack impacted 39,000 individuals
Reference: Kyocera Suffers Ransomware Attack
Victim: Kyocera AVX (KAVX) Components Corporation

KAVX is an American manufacturer of advanced electronic components and a subsidiary of the Japanese semiconductor giant Kyocera. Kyocera Corporation is a Japanese multinational ceramics and electronics manufacturer headquartered in Kyoto, Japan.

Incident: Ransomware Attack at Yamaha Subsidiary

Yamaha Motor Co., Ltd. said one of the servers managed by its motorcycle manufacturing and sales subsidiary in the Philippines, Yamaha Motor Philippines, Inc. (YMPH), was hit by a ransomware attack, and a partial leakage of employees’ personal information.
Upon learning of the attack, the IT Center at Yamaha Motor headquarters in Japan and YMPH immediately set up a countermeasures team and have been working to prevent further damage while investigating the scope of the impacts, the company said in a statement.
In addition, the company said it is working on a recovery together with an external Internet security company, but it thinks it will take time until the full extent of the damage can be confirmed.

Reference: Yamaha Motor confirms ransomware attack on Philippines subsidiary
Reference: Yamaha Subsidiary Hit In Ransomware Attack
Threat Actor: INC Ransom

INC Ransom came about in August this year and targeted organizations spanning various sectors such as healthcare, education, and government in double extortion attacks.After gaining access, they move laterally through the network, first harvesting and downloading sensitive files for ransom leverage and then deploying ransomware payloads to encrypt compromised systems.

Victim: Yamaha Motor Co., Ltd.

A motorcycle manufacturing and sales subsidiary in the Philippines, Yamaha Motor Philippines, Inc. (YMPH).

Incident: 40% of Australians Without Internet or Phone for One Day

An outage at No.2 Australian telco Optus left nearly half the population without internet or phone on Wednesday, throwing payment, transport and health systems into chaos and raising questions about the fragility of the country's core infrastructure. The outage was first reported about 4 a.m. local time (1700 GMT on Tuesday) and it was not until almost 5.30 p.m. that Optus said services had been restored.

Some 10 million Australians, 40% of the population, are Optus customers and could not use smartphones, broadband internet or landlines for much of the day. Hospitals couldn't take phone calls, small businesses were unable to process electronic payments and train networks and ride share services were down simultaneously in some cities. The incident sparked criticism about the robustness of Australia's telecommunications network and in particular about Optus, which is owned by Singapore Telecommunications

Reference: Optus outage causes chaos in Australia before services restored
Reference: BianLian extortion group claims recent Air Canada breach
Incident: Customers’ Credit Card details Stolen at Spanish Airline: Air Europa

Spanish airline Air Europa, the country's third-largest airline and a member of the SkyTeam alliance, warned customers on Monday 9 October to cancel their credit cards after attackers accessed their card information in a recent data breach. "We inform you that a cybersecurity incident was recently detected in one of our systems consisting of possible unauthorized access to your bank card data," Air Europa said in emails sent to affected individuals and seen by BleepingComputer.

The credit card details exposed in the breach include card numbers, expiration dates, and the 3-digit CVV (Card Verification Value) code on the back of the payment cards. Air Europa warned affected customers to ask their banks to cancel their cards used on the airline's website due to "the risk of card spoofing and fraud" and "to prevent possible fraudulent use."

Victim: Air Europa

Spanish airline Air Europa is the country's third-largest airline and a member of the SkyTeam alliance.

Reference: Air Europa data breach: Customers warned to cancel credit cards
Incident: Cyberincident at American Airlines Pilot Union

The American Airlines pilot union – Allied Pilots Association- representing 15,00 pilots has suffered a data breached in an apparent cyber-incident. The organisation is based throughout the U.S.
Looking into the ramifications of this for Digital Journal is Kevin Kirkwood, Deputy CISO at LogRhythm.
Kirkwood begins by assessing the actual breach and the significance on the trade union: 2The American Airlines pilot union, representing 15,00 pilots, was hit with a ransomware attack late last week. Founded in 1963, it is the largest independent pilots’ union in the world.”
With the specific risk factors, Kirkwood says: “The organization is seeking outside experts to restore their systems and is still assessing what personally identifiable information (PII) was breached, only announcing that some systems were encrypted.”

Victim: Allied Pilots Association (American Airlines)

Allied Pilots Association is American Airlines' pilot union

Reference: Wings clipped: Aviation group caught out in cyberattack
Incident: Tri-City Medical Center in CA Operations Affected for Days

Tri-City Medical Center is diverting ambulance traffic to other hospitals Thursday as it copes with a cybersecurity attack that has forced it to declare “an internal disaster” as workers scramble to contain the damage and protect patient records. The Oceanside facility’s management confirmed the situation in a brief statement, indicating that the hospital’s emergency department remains “prepared to manage emergency cases” that may arrive in private vehicles and is “working with our other health system partners to ensure the provision of health care for our community.”

On Monday, 13 November, ambulance deliveries remain diverted from its emergency department and elective procedures remain canceled as the medical provider deals with the fallout of an attack on its digital assets and continues to operate in a state of “internal disaster.”

Victim: Tri-City Medical Center

Tri-City Medical Center in Oceanside, CA, USA

Reference: Four days in, cyber attack continues to impact Tri-City Medical Center in Oceanside
Reference: Tri-City Medical Center Announces Cyber Attack Causing an “Internal Disaster,” Leading Some to Raise Data Breach Concerns
Reference: Healthcare giant McLaren reveals data on 2.2 million patients stolen during ransomware attack
Incident: Boeing Hacked – Lockbit Gang Leaks almost 45 GB of Data Reportedly Stolen.

Boeing Co. is assessing a claim made by the Lockbit cybercrime gang it had “a tremendous amount” of sensitive data it would publish online if Boeing didn’t pay a ransom by November 2.
The hacking group posted a countdown clock on its data leak website with a message saying, “Sensitive data was exfiltrated and ready to be published if Boeing do not contact within the deadline! For now we will not send lists or samples to protect the company BUT we will not keep it like that until the deadline.”

Two weeks after the claimed attack, Lockbit leaked almost 45 gigabytes of data reportedly stolen.

Reference: Weeks after Boeing attack, ransomware group leaks allegedly stolen files
Reference: Boeing ‘Assessing’ Ransomware Claim
Reference: Shares in Rheinmetall drop after company discloses malware attack
Reference: Ventia Systems Affected By Cyber Incident
Reference: Augustans still seeing higher water bills after cyberattack
Reference: Dole incurs $10.5M in direct costs from February ransomware attack
Victim: Wildeboer

Wildeboer Bauteile GmbH develops, manufactures and markets products for fire protection, noise protection, air distribution an building control system

Reference: Hacker attack on the Stade drinking water association
Incident: Cyberattack at India’s National Institute of Ocean Technology

Medusa Ransomware group claims to have infiltrated NIOT's systems and encrypt critical data, including plans, CAD drawings, and other sensitive information. The website was down while reporting the incident.

Victim: National Institute of Ocean Technology (NIOT)

National Institute of Ocean Technology - NIOT - is a premier research institution in India dedicated to developing sustainable ocean exploration and conservation technologies.
The organization’s work is vital for understanding and protecting the ocean ecosystem and supporting the country’s economic growth through offshore activities such as fishing, oil and gas exploration, and shipping.

Reference: Medusa Ransomware Group Targets National Institute of Ocean Technology
Incident: Cyberattack Reported at Institute of Science and Technology Austria (ISTA)

On Nov 2, 2022 a targeted attack caused Institute of Science and Technology Austria (ISTA) to take down the entire research facility offline in an abundance of caution. Details about the extent of the attack are still under investigation.

Reference: Institute of Science and Technology Austria (ISTA) is victim of a targeted cyberattack
Victim: Institute of Science and Technology Austria (ISTA)

Research Institute of Science and Technology in Austria

Incident: Cyberattack at American Meterological Institute

On Monday, 24 April 2023, we discovered that some of our systems has been impacted by an encryption/ransomware attack. The perpetrator encrypted AMS servers, making them inaccessible.

The Cactus Blog leak site reported the attack on July 20.

Reference: AMS notification letter to customers
Victim: American Meteorological Society

American Meteorological Society

Incident: Cyberattack Crippled Facilities of Large Australia Port Operator

A cyber incident shut down Australia’s second largest port operator, which is now having an impact on moving goods in and out of the country. DP World Australia, which operates ports in Melbourne, Sydney, Brisbane and Fremantle, is responsible for 40 percent of maritime freight said it began responding to a cybersecurity incident this past Friday, according to an ABC News report. While ships remain able to unload freight, the freight cannot then leave the port site. The operator said it took immediate action which included disconnecting Internet connectivity, which stopped any ongoing unauthorized access.

Operations at container terminals in Melbourne, Sydney, Brisbane and Perth were disrupted from Friday to Monday morning. DP World Australia said its ports resumed operations at 09:00 local time "following successful tests of key systems overnight" - reports BBC.

There was no further word on what type of attack the port operator suffered and who was behind the assault.

Victim: DP World Australia

DP World is an Emirati multinational logistics company based in Dubai, United Arab Emirates. It specialises in cargo logistics, port terminal operations, maritime services and free trade zones. Formed in 2005 by the merger of Dubai Ports Authority and Dubai Ports International, DP World handles 70 million containers that are brought in by around 70,000 vessels annually. This equates to roughly 10% of global container traffic accounted for by their 82 marine and inland terminals present in over 40 countries. Until 2016, DP World was primarily a global port operator, and since then, it has acquired other companies up and down the value chain.

Reference: Cyberattack Shuts Down Aussie Ports
Reference: DP World shuts down ports after hack
Reference: Australian Ports Impacted by ‘Significant Cyber Security Incident’
Reference: Anatomy Of A Series Of Cyber Attacks
Incident: Largest Recorded Cyberattacks at Danish Energy Infrastructure

This past May, Danish critical infrastructure suffered the most extensive cyber-related attack it ever experienced in Denmark to date. In all, 22 companies that operate parts of the Danish energy infrastructure ended up compromised in a coordinated attack, according to a report by SektorCERT. The result was the attackers gained access to some of the companies’ industrial control systems and several companies had to go into island mode operation.

The attacks began on May 11, followed by 10 days of inactivity. A second wave of attacks began on May 22 when SektorCERT received an alert that one of its members had downloaded new firewall software over an insecure connection. Whether the attack came from servers associated with a unit of Russian military hackers popularly known as Sandworm cannot be said with certainty. Individual indicators of this have been observed, but we have no opportunity to neither confirm nor deny it, states the SektorCERT report.

Threat Actor: Unconfirmed

Unconfirmed at time of publishing

Victim: Danish Energy Infrastructure

National energy infrastructure in Denmark

Reference: SektorCERT The-attack-against-Danish-critical-infrastructure (PDF)
Reference: Denmark Hit With Largest Cyberattack on Record
Reference: Inside Denmark’s hell week as critical infrastructure orgs faced cyberattacks
Incident: Russian Sandworm Behind Operational Disruption of Ukraine Energy Facility in October 2022

According to Google-owned US cybersecurity firm Mandiant, Russia-linked hacking group Sandworm were behind hacks on Ukraine energy infrastructure during the October 2022 blackouts. The attack is a rare example of a cyber incident disrupting the physical operation of a targeted facility, according to Mandiant. There was potentially a two-month time period from when the attacker gained initial access to the SCADA system to when they developed the OT capability. Two days after the OT event, Sandworm deployed a new variant of CADDYWIPER in the victim’s IT environment to cause further disruption and potentially to remove forensic artifacts.

The techniques used during the attack show a growing maturity of Russia’s operational technology-oriented offensive cyber capabilities and overall approach to attacking such systems, Mandiant said.

Reference: Ukraine energy facility took unique Sandworm hit on day of missile strikes, report says
Reference: Russian spies behind cyber attack on Ukraine power grid in 2022 – researchers
Reference: Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology
Reference: Russia’s Sandworm hacking unit targets Ukrainian telecom providers
Incident: ‘Sandworm’ Attack Interrupts Service at 11 Telcom Providers in Ukraine

The state-sponsored Russian hacking group tracked as 'Sandworm' has compromised eleven telecommunication service providers in Ukraine between May and September 2023.
That is based on a new report by Ukraine's Computer Emergency Response Team (CERT-UA) citing 'public resources' and information retrieved from some breached providers. The agency states that the Russian hackers "interfered" with the communication systems of 11 telcos in the country, leading to service interruptions and potential data breaches.

Threat Actor: Sandworm

Sandworm is a very active espionage threat group linked to Russia's GRU (armed forces). The attackers have focused on Ukraine throughout 2023, using phishing lures, Android malware, and data-wipers.

Reference: Russian Sandworm hackers breached 11 Ukrainian telcos since May
Incident: Ransomware Hits Rea Magnet Wire Company

One of the world’s largest manufacturers of magnet and nonferrous wire products, Rea Magnet Wire Company, Inc. suffered a ransomware attack.
On October 4, Rea, a privately held company, sent a letter out to its customers saying they suffered a ransomware attack on September 9. The company said in the letter:
“On September 9, 2023, the Company was victimized by a ransomware attack. Fortunately, the attack did not affect all of the Company’s internal systems, and, through the quick and thoughtful work of our IT team and our external partners and advisors, we were able to restore substantially all of our systems within days. At present, the Company is operating normally, and we do not expect that the attack will have a material effect on the business going forward.
“In the course of the ransomware attack, the perpetrators stole information from the Company’s systems that may have included your name, mailing address, email address, phone number, date of birth, and social security number and/or tax identification number."

Reference: Rea Magnet Wire Company Hit In Ransomware Attack
Victim: Rea Magnet Wire Company

Fort Wayne, Indiana-based Rea produces copper, aluminum and brass-insulated magnet wire and bare wire used in the making of motors, transformers and coils. Rea also manufactures a number of specialty wire products.

Incident: Cyber Incident at Healthcare Solutions giant Henry Schein

On October 14, 2023, Henry Schein determined that some of its manufacturing and distribution businesses had been the target of a cyberattack. In response, Henry Schein reported the incident to law enforcement and took steps to contain the incident, including taking down portions of its computer system. Henry Schein also enlisted the help of third-party cybersecurity and forensic information technology experts to determine if any confidential information stored on its computer network was subject to unauthorized access.

The company has not shared any other details on the cyberattack, but its brief description suggests that it may have involved ransomware.

Victim: Henry Schein

Henry Schein is a retail company based out of Melville, New York. Henry Schein provides healthcare products and services to dental, medical and animal healthcare practices in 32 countries. The company is publicly traded on the NASDAQ under the symbol “HSIC.” Henry Schein, Inc. employs more than 22,000 people and generates approximately $12.7 billion in annual revenue.

Reference: Operations of Healthcare Solutions Giant Henry Schein Disrupted by Cyberattack
Reference: Henry Schein, Inc. Confirms Recent Cyberattack, Raising Data Breach Concerns
Incident: Simpson Manufacturing, a Building Materials Maker, Attacked

Engineering and building material provider, Pleasanton, California-based Simpson Manufacturing Co. Inc., fell victim to a cyberattack Tuesday.
The company said it experienced disruptions in its Information Technology area Tuesday and took some systems offline. The Company is working diligently to respond to and address this issue. The incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations.

Reference: Building Materials Maker Simpson Manufacturing Attacked
Incident: Major Canadian Institutions Targeted in Cyberattacks.

Major Canadian institutions, including military and Parliament websites, have been targeted in recent cyberattacks. The Indian Cyber Force hacker group claims responsibility, causing disruption in various government-operated web platforms. However, Canada’s signals-intelligence agency reassures that these “nuisance” attacks probably haven’t compromised private data.

Canadian Armed Forces acknowledged that its website was temporarily inaccessible for mobile users after a DoDDS attack. The issue was resolved.
House of Commons website also suffered from a DDoS attack, resulting in slow loading or incomplete page displays starting Mondaywithin hours. Elections Canada faced a denial-of-service attack for about an hour early Wednesday.

Threat Actor: Indian Cyber Force (ICF)

Indian Cyber Force (ICF)

Reference: Cyberattacks hit military, Parliament websites as India-based group targets Canada
Victim: Canadian Government services

Canadian Government Services

Reference: Canadian Air Force and government sites hacked by Indian threat actor
Reference: Kenya cyber-attack: Why is eCitizen down? Published
Incident: Cyberattack Causes Widespread Disruption in Kenya

Kenya endured a huge cyber attack that has affected services on a key government online platform. The BBC reported the attack against the region’s eCitizen portal. The portal is used by the public to access over 5,000 government services. Impacted were passport applications and renewal, e-visas for non-citizens visiting Kenya, as well as driving licenses, ID cards and health records from being issued.

Anonymous Sudan claim responsibility for an extensive cyberattack in Kenya which saw multiple government services impacted and raised digital concerns.

Mobile-money banking services M-Pesa were also affected by the attack. People were unable to make payments at shops. Public transport vehicles, hotels and other platforms also experienced difficulties. Millions of people across Kenya use Mobile-money to receive and spend money and the platform is seen as widely convenient for those who do not have access to essential banking services.

Victim: M-PESA

M-PESA is a mobile phone-based money transfer service, payments and micro-financing service, launched in 2007 by Vodafone and Safaricom, the largest mobile network operator in Kenya.

Victim: Kenya Government Services

Kenya Government

Reference: Cyberattack in Kenya impacts online government platforms
Reference: Lessons learned from Rio Tinto’s massive cyber-attack
Incident: Employee Data of Rio Tinto Group Uploaded to Dark Web

Personal data of Rio Tinto Ltd's former and current Australian employees were stolen by Cl0p. On April 6 the files were uploaded on the dark web. Ransom group Cl0p claims responsibility for the alleged data hack.

Rio Tinto confirmed that stolen employee data have been uploaded on the dark web, ABC News reported.

Victim: Rio Tinto Group

Rio Tinto Group is a British-Australian multinational company that is the world's second-largest metals and mining corporation. It was founded in 1873 when a group of investors purchased a mine complex on the Rio Tinto, in Huelva, Spain, from the Spanish government.

Reference: Stolen Rio Tinto employee data from cyber-attack uploaded on dark web: reports
Reference: Global mining group Rio Tinto Australian staff hit by cyberattack
Victim: Eskom

Eskom transforms coal, nuclear, fuel, diesel, water, and wind into more than 90% of the energy supplied to a wide range of customers in South Africa and the Southern African Development Community (SADC) region.

Eskom is one of the few remaining vertically integrated utilities connected to the Southern African Power Pool (SAPP) through an interconnected grid.

Incident: Reportedly Disruptive Cyberattack at Porsche South Africa’s Headquarters

Porsche South Africa’s headquarters in Johannesburg suffered a disruptive ransomware attack over the weekend, taking down several of the company’s systems and at least some backups.

MyBroadband news outlet in SA understands the attackers used a relatively new ransomware strain called Faust to encrypt the company’s files and lock it out of corporate systems. The news outlet contacted Porsche South Africa for further details about the incident, but it declined to comment — neither confirming nor denying the attack.

Reference: Porsche South Africa suffers ransomware attack
Incident: Cyberattack at LTL Specialist Estes Express

Estes Express confirmed that its IT systems were the target of an ongoing cyberattack, but said terminals and drivers were still picking up and delivering freight while the IT infrastructure was out of action.
“We’re working as quickly as possible to resolve this issue and to return to business as usual,” the Richmond, Va.-based company wrote on X, the platform formerly known as Twitter, noting that it was “unable to share specific details at this time.”

The disruption caused by the cyberattack at Estes will tighten LTL capacity further, even though it is likely a short-term event.

Victim: Estes Express (LTL)

Estes Express had 9,694 company-owned tractors and 37,032 trailers as of the end of 2022, according to TT data. The carrier currently has in excess of 280 freight terminals.

Estes ranks No. 14 on the Transport Topics Top 100 list of the largest for-hire carriers in North America. It ranks No. 5 on the LTL sector list.

Reference: Estes Express says widespread system outage caused by cyberattack
Reference: Cyberattack Hits Estes Express Lines’ IT Systems
Incident: Golf Gear Giant Callaway Data Breach Exposes 1.1 Million Accounts

Topgolf Callaway (Callaway) suffered a data breach at the start of August, which exposed the sensitive personal and account data of more than a million customers. This impacts customers of Callaway and its sub-brands Odyssey, Ogio, and Callaway Gold Preowned sites. According to the data breach notification, the incident affected 1,114,954 individuals in the United States.

Callaway has forced a password reset for all customer accounts to prevent unauthorized access.

Victim: Callaway

Callaway is an American sports equipment maker and seller specializing in golf equipment and accessories such as clubs, balls, bags, gloves, and caps. The company is present in more than 70 countries worldwide and has an annual revenue of over $1.2 billion. It employs roughly 25,000 people.

Callaway sub-brands operating under the same business umbrella: Odyssey, Ogio, and Callaway Gold Preowned sites.

Reference: document: Topgolf Callaway-ME App & Sample
Reference: Golf gear giant Callaway data breach exposes info of 1.1 million
Incident: Cyberattack Shuts Down 14 Facilities at Largest Healthcare System in MI

McLaren Healthcare in Michigan reported outages affecting billing and electronic health record systems. According to the Detroit Free Press, McLaren had to shut down the computer network at 14 different facilities — a situation that got so bad that employees had to communicate through their personal phones. The Black Cat/AlphV ransomware gang claimed to have stolen 6 TB of data.

UPDATE: 13 November: McLaren reports Black Cat stole data on 2.2 million patients.

Victim: McLaren Healthcare

McLaren operates 13 hospitals across Michigan, as well as other medical services such as infusion centers, cancer centers, primary and specialty care offices and a clinical laboratory network. The company has more than 28,000 employees and also has a wholly owned medical malpractice insurance company.

Reference: Large Michigan healthcare provider confirms ransomware attack
Incident: Ransomware Attack Suspends All Services at Seville City Council – $1.5M Ransom Demanded

The Seville City Council has returned to paper notes and in-person procedures after suffering the hijacking of its computer systems by a group of cybercriminals, as confirmed by the City Council. The pirates demand a ransom of more than one million euros and the City Council refuses to pay or agree “with cybercriminals”

The hackers have claimed up to one and a half million dollars (1,396,642 euros) from the municipal government, although it has assured that "in no case will it negotiate with cybercriminals." It is the second successful attack on the municipal website in three years.

All services have been affected.

Victim: Seville City Council

Seville City Council - Spain

Reference: The Seville City Council suspends all telematic services due to a computer hijacking: “It will not be negotiated”
Incident: Russian Railways Website Suffers DoDDS Cyberattacks

The Russian Railways website has suffered serious cyber attacks. The portal may experience disruptions, the company’s press service warned about this on February 26. “Our website is subject to regular, serious DDoS attacks. <…> The official mobile application of Russian Railways works normally. We are also increasing the number of operating ticket offices at stations so that all our passengers have the opportunity to buy tickets,” says a message published by Russian Railways on Telegram.

Reference: Russian Railways reported DDoS attacks on the site
Incident: Russian RZD Railway Cyberattack Disrupts Online Ticket Sales

The Russian state-owned railway company RZD said Wednesday that its website and mobile app were down for several hours due to a “massive” cyberattack, forcing passengers to only buy tickets at railway stations. RZD’s system was down for at least six hours, but the company said later on Wednesday that it had restored its operation despite ongoing attacks. Some of the company's online services are still unavailable due to the increased load, RZD said.

Victim: RZD railway company

Russian state-owned railway company RZD

Reference: Russian railway site allegedly taken down by Ukrainian hackers
Reference: Israel’s largest oil refinery website offline after DDoS attack
Incident: Wuhan Earthquake Monitoring Center Suspects Cyberattack comes from US.

Wuhan Earthquake Monitoring Center suffered a cyberattack. The Wuhan public security bureau Jianghan sub-bureau confirmed the discovery of a Trojan horse program originating from abroad at the Wuhan Earthquake Monitoring Center. According to the public security bureau, this Trojan horse program can illegally control and steal seismic intensity data collected by the front-end stations. This act poses a serious threat to national security. The center has immediately sealed off the equipment that was affected and reported the attack to the public security authorities, in order to investigate the case and handle the hacker organization and criminals according to law, said the statement.

Victim: Wuhan Earthquake Monitoring Center

Wuhan Earthquake Monitoring Center, China

Reference: Wuhan Earthquake Monitoring Center suffers cyberattack from the US; investigation underway
Incident: Akira Ransomware Attacks Cisco VPN Network in Attempt to Breach Corporate Networks

Bleepingcomputer reports there's mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data. Reportedly, Akira has been using compromised Cisco VPN accounts to breach corporate networks without needing to drop additional backdoors or set up persistence mechanisms that could give them away.

Cisco VPN solutions are widely adopted across many industries to provide secure, encrypted data transmission between users and corporate networks, typically used by remotely working employees.

Reference: Akira ransomware targets Cisco VPNs to breach organizations
Victim: Augusta Utilities

Augusta Utilities, TN

Incident: Augusta Utilities Cyberattack Disables Water Meter Readers causing Extended Billing Chaos

Cyberattack at Augusta Utilities disabled electric readers for five weeks, causing customer bills to almost double. The readers are used to measure customer water usage. Separate parts inside the device were all affected during the cyber shutdown. There’s a backorder on water meters because of high demand during COVID. A total of 75,000 meters are installed in Richmond County. With 15 employees, each employee has to check 5000 meters.

On Sep 26, 4 months after the hack, local WRDW/WAGT reports that customers still claim inaccurate billing. Augusta says that 30% of the 75,000 water meters active in Richmond County still have to be read in person. The company is aware some meters may need to be replaced entirely. Since 2021, Augusta Utilities has been working on deciding a trial replacement model to replace all 75,000, it will take five years to complete replacing them all.

Reference: DHL investigating MOVEit breach as number of victims surpasses 20 million
Incident: Akira and Blackbyte both claim Cyberattack at Yamaha Music Equipment Manufacturer

Yamaha’s Canadian music division confirmed that it recently dealt with a cyberattack after two different ransomware groups claimed to have attacked the company. On June 14, the company was posted on the Black Byte ransomware gang’s list of victims, according to cybersecurity expert Dominic Alvieri. But on Friday, Yamaha appeared on the leak site of the Akira ransomware group.

Yamaha Canada Music said the attack “led to unauthorized access and data theft.” “In response, we swiftly implemented measures to contain the attack .. to prevent significant damage or malware infiltration into our network.” The company did not respond to requests for comment about whether the incident involved ransomware.

“Yamaha Canada has been notifying affected individuals, and we are offering credit monitoring services to those at risk of potential harm

Victim: The Yamaha Corporation [musical equipment]

The Yamaha Corporation — different from the spun-off motorcycle division — is a Japanese manufacturing giant producing musical instruments and audio equipment. It is considered the world’s largest producer of musical equipment.

Reference: Yamaha confirms cyberattack after multiple ransomware gangs claim attacks
Incident: Russian Medical Lab Helix Hit by Ransomware Attack

Customers of the Russian medical laboratory Helix have been unable to receive their test results for several days due to a “serious” cyberattack that crippled the company's systems over the weekend. Hackers attempted to infect the company's systems with ransomware. The company told Russian state-owned news agency Tass that its tech team partially restored the functionality of its website, mobile app and other e-health services without paying a ransom.

No customer personal data was leaked. Service disruptions prevented the company from delivering medical test results to its customers on time. Helix did not respond to a request for comment. It is unclear which group is responsible.

Victim: Helix Laboratory

Russian medical laboratory Helix

Reference: Russian medical lab suspends some services after ransomware attack
Incident: <9000 American Airlines and Southwest Airlines Pilots Affected by Data Breach at 3rd Party Vendor

American Airlines and Southwest Airlines disclosed data breaches. The cause was the hack of Pilot Credentials, a third-party vendor that manages multiple airlines' pilot applications and recruitment portals. Documents containing information provided by certain applicants in the pilot and cadet hiring process were stolen. American Airlines said the data breach affected 5745 pilots and applicants, while Southwest reported a total of 3009.

Victim: Pilot Credentials

Pilot Credentials, a third-party vendor that manages multiple airlines' pilot applications and recruitment portals

Victim: Southwest Airlines

US low cost airline

Reference: American Airlines, Southwest Airlines disclose data breaches affecting pilots
Incident: Phishing Campaign Accessed Data for 15 Months at Multinational Shipping Company UPS

Multinational shipping company UPS is alerting Canadian customers that some of their personal information might have been exposed via its online package look-up tools and abused in phishing attacks. "UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered," UPS said in a letter shared by Emsisoft threat analyst Brett Callow.

Following an internal review, UPS found that the attackers behind this ongoing SMS phishing campaign were using its package look-up tools to access delivery details, including the recipients' personal contact information, between February 2022 and April 2023.

Victim: UPS

Multinational shipping company UPS in USA

Reference: UPS discloses data breach after exposed customer info used in SMS phishing
Incident: MOVEit Transfer Hack Affects Aer Lingus

A spokesperson for Aer Lingus has confirmed that around 5,000 of its employees have been affected by a cyber attack that has compromised personal information. Aer Lingus also said that a "significant but lesser number of former employees" have also been affected.

The incident relates to a flaw in a piece of software called MOVEit Transfer, used by thousands of companies globally to transfer files, which could be exploited by cyber criminals.

Reference: Around 5,000 Aer Lingus employees affected by cyber attack
Incident: Lockbit Attacks US Networks of Largest Zipper Manufacturer in Japan

Japanese zipper giant YKK confirmed that its U.S. operations were targeted by hackers in recent weeks but said it was able to contain the threat before damage was caused. The Tokyo-based corporation would not say if it was hit with ransomware, but a spokesperson told Recorded Future News that once YKK discovered that its U.S.-based networks were targeted, the cybersecurity team “contained the threat before significant damage was done or sensitive information was exfiltrated.”

“The incident did not have a material impact on our operations or our ability to continue to serve our customers,” said Jessica Kennett Cork, vice president of corporate communications at YKK Corporation of America.

Reference: June 7th, 2023 Industry Briefs Cybercrime Get more insights with the Recorded Future Intelligence Cloud. Learn more. Zipper giant YKK confirms cyberattack targeted U.S. networks
Victim: YKK Group

YKK Group is a Japanese manufacturing conglomerate best known for manufacturing zippers. However, the company also produces industrial machinery and hardware. YKK Group controls over 100 companies worldwide, employs over 44,000 people, and boasts a revenue exceeding $6 billion last year.

Reference: Zipper manufacturer YKK Group allegedly breached by LockBit
Incident: MOVEit Hack affects US Waste Isolation Plant in NM

The Department of Energy “took immediate steps” to mitigate the impact of the hack after learning that records from two department “entities” had been compromised, the department spokesperson said. “The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach,” the spokesperson said in a statement.

One of the Department of Energy victims is a contractor affiliated with the department’s Waste Isolation Pilot Plant in New Mexico, which disposes waste associated with atomic energy. The other victim is Oak Ridge Associated Universities, a not-for-profit research center, a department spokesperson told CNN.

Incident: MOVEit hits US Department of Energy Research Universities in TN

The Department of Energy “took immediate steps” to mitigate the impact of the hack after learning that records from two department “entities” had been compromised, the department spokesperson said.

“The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach,” the spokesperson said in a statement.

One of the Department of Energy victims is Oak Ridge Associated Universities, a not-for-profit research center, a department spokesperson told CNN. The other victim is a contractor affiliated with the department’s Waste Isolation Pilot Plant in New Mexico, which disposes waste associated with atomic energy, the spokesperson said.

Victim: Oak Ridge Associated Universities, TN

Oak Ridge Associated Universities, a not-for-profit research center for US Department of Energy

Victim: US Waste Isolation Pilot Plant – NM

Waste Isolation Pilot Plant - the New Mexico-based facility for disposal of defense-related nuclear waste.

Reference: Exclusive: US government agencies hit in global cyberattack
Reference: Cyberattack Hits US Lab Contractor, Nuclear Waste Site
Reference: EDS Automotive Data Breach on January 02, 2023
Incident: Data Breach at Nigerian Oil and Gas Sector

An unknown threat actor has targeted the Nigerian Oil & Gas Industry Content Joint Qualification System (NOGIC JQS) and posted its data on the hacker forum with sample images revealing lists of files, including backups and MySQL data. The NOGIC JQS website offers services such as registration of contractors in the Nigerian oil and gas industry, marine vessel registration, verification, databases for national skill development, categorization of marine support vendors, expatriate quota application management, tenders management, etc. This points towards the severity of the hacking and leaking of sensitive and critical data.

Currently, the Nigerian Oil & Gas Industry Content Joint Qualification System (NOGIC) JQS portal is inaccessible and “under maintenance”. The website ( states that the application is undergoing updates.

The Nigerian oil and gas industry has been in the news over the oil theft controversy, price increase, and discovery of oil slicks in the Escravos river. As per reports, Nigeria is Africa’s primary oil provider and adds 1.2 million barrels of oil daily.

Victim: Nigerian Oil & Gas Industry Content Joint Qualification System (NOGIC JQS)

Nigerian Oil & Gas Industry Content Joint Qualification System (NOGIC JQS) offers services such as registration of contractors in the Nigerian oil and gas industry, marine vessel registration, verification, databases for national skill development, categorization of marine support vendors, expatriate quota application management, tenders management, etc.

Reference: Nigerian Oil and Gas Sector Under Attack, Hackers Leak NOGIC Data
Incident: Campbell Soup Shuts Down OH Site After Cyberattack

Campbell Soup disclosed an “IT-related complication” at a factory in Napoleon, Ohio. The company told station WTOL that impacted systems had been restored and operations would be back to normal. The Toledo Blade reported the plant was offline for three days and employees were temporarily sent home.

The attack had a limited impact on the company’s business and the company considers the disruption nonmaterial.

Victim: Campbell Soup Co.

The US company product line includes a variety of soups, beverages and snacks, including Campbell’s soup, Pepperidge Farm cookies, Pop Secret popcorn, V8 juices and other foods.

Reference: Three-day Campbell’s Napoleon plant outage due to IT problems, company says
Reference: Campbell Soup says summer cyberattack caused limited business impact
Incident: German Mechanical Engineering Firm Dürr successfully Wards off Cyberattack

Dürr's security experts were able to fend off a hacker attack. The subsidiary was also attacked. The attempt to break into the IT system of the Bietigheim-Bissingen mechanical engineering company was repelled. The hackers neither encrypted any data nor took control of the system. The employees at Dürr were informed about the attack. Everyone had to change their password.

There was also a hacker attack at an American company in the Homag Group, which belongs to Dürr AG, says Christen. The attackers got a little further in the company than in Bietigheim-Bissingen. The spokesman emphasizes that data was not lost there either. To prevent this, the computer systems were shut down. IT security checks are currently ongoing. (see cross link to Stiles Machinery)

Reference: Systems Shut Down at Stiles Machinery (HOMAG) after Cyberattack
Victim: Dürr

Mechanical Engineering Firm in Germany

Reference: Hackers are taking a look at Dürr
Reference: Dürr fends off cyberattacks
Reference: Hacker attack on Baden steelworks in Kehl
Reference: Cyber ​​attack on Baden steelworks
Incident: Edinburgh Trams’ Website offline after Cyberattack

Edinburgh Trams said on Thursday it was the victim of a “cyber crime” making the company's website "inaccessible" to its user base.. The matter was reported to police on Thursday, 28 September, 2023 and enquiries are ongoing.”

Threat intelligence platform FalconFeeds said that international ransomware group NoName was behind the attack, and also targeted Swiftcard and Mersey Ferries Limited.

Victim: Edinburgh Trams

Edinburgh Trams, Scotland, UK

Reference: Edinburgh Trams website offline following ‘cyber- attack’
Reference: Edinburgh trams targeted by ‘cyber attack’ as fears grow over Russian hackers
Threat Actor: BianLian Ransomware Group

BianLian is a ransomware group that was first observed in 2022. According to a report from cybersecurity firm Redacted, the gang has evolved its tactics. The hackers now no longer aim to encrypt their victims' files. Instead, they threaten to publish the stolen data on the dark web if the ransom is not paid.

BianLian informs about stolen data on its blackmail site after just 48 hours. The victims then have around ten days to pay the ransom. According to the research report, as of March 13, 2023, the ransomware gang has listed a total of 118 victim organizations on its extortion portal, with the vast majority (71 percent) being US-based companies.

Reference: German car spare parts specialist Bilstein hacked
Incident: SoftProject GmbH Reports Ransomware Attack

SoftProject GmbH was the target of a ransomware attack on its data center. According to available findings, part of SoftProject GmbH's application landscape was encrypted. The forensic audits to date have revealed no evidence of a data leak. The detected malware “CryTox” is only used for encryption. The office domain of SoftProject GmbH's administrative location was not part of the attack. According to current knowledge, there was no data leakage here either. SoftProject GmbH is working on putting the systems back into operation and carrying out further forensic analyses.

The incident was immediately and properly reported. SoftProject offers products and services for digitizing and automating business processes in all industries

Reference: SoftProject GmbH reports ransomware attack
Victim: SoftProject

SoftProject offers products and services for digitizing and automating business processes in all industries since 2000.

Incident: Ransomware Attack Shuts Down Operations at German Manufacturer Wildeboer

Hackers paralyzed Wildeboer's IT on July 14 and encrypted the company data. Production has been at a standstill since then, and a large proportion of the 350 employees have been on short-time work since. The company produces, among other things, fire and sound insulation components for office complexes and stadiums. The perpetrators left instructions, however instead of responding to the ransom demand, the company filed a police report.

The company issued a statement on their website: "After weeks of hard work, Wildeboer will resume production on Monday, August 14. In connection with the restart of production, we will provide you very promptly with the necessary documents from our order processing department. The restart was made possible by many very intensive and dedicated colleagues from all divisions. "

Reference: German construction producer Wildeboer affected by hacker attack
Reference: Attack on Wildeboer IT Systems
Incident: Ransomware Attack German Drinking Water Association Paralyzed IT Systems

Hackers have paralyzed the IT systems of the Stader Land Drinking Water Association (TWV) resulting in technical disruptions. The company website states (translated in EN): At the end of July we fell victim to a ransomware attack. The aim of this was to encrypt our systems. The encryption could be prevented and we have now largely completed the secure reconstruction of our IT. We are supported by external experts and work closely with the relevant data protection and police authorities. The drinking water supply was never affected by the IT security incident and is operating at the usual high level.

With an attack of this type, there is always a risk that the perpetrators will steal data such as address or account details and other sensitive information. Unfortunately, this is now also the case with us. The criminals stole customer data in the context of meter changes and, according to our experts, published it on the darknet. A large number of our customers are affected by this.

Reference: Trinkwasserverband Stader Land website homepage
Victim: Trinkwasserverband Stader Land (TWV)

Trinkwasserverband Stader Land (TWV) - drinking water association in Germany

Reference: Hacker attack on the Stade drinking water association
Incident: Ransomware Strikes Progressive Computing entire Client Base

On July 2, 2021, REvil ransomware group launched a cyberattack on Kaseya’s VSA. The attack affected approximately 50 managed service providers (MSPs). Progressive Computing was one of the victims and hackers installed ransomware across their entire client base. The hack simultaneously affected 500 endpoints across 80 clients with 200 physical sites in four different time zones.

Victim: Progressive Computing

Progressive Computing, a manufacturer and supplier of equipment for wide area networks.

Reference: How Progressive Computing Combated a Large-Scale Cyberattack
Reference: Hackers strike Aker Solutions’ Brazil M&M operation
Incident: 2020 Phishing Email Cost UK Interserve more than £11M

Hackers stole sensitive details on 100,000 people from an outsourcing company named Interserve. The Phishing campaign attackers are unknown and the company offered no additional information. The data stolen is sensitive, including employee names and their addresses, bank details, payroll information, HR records, pension information and much more.

Update August 2023: The Information Commissioner fined Interserve £4.4m in autumn 2022. Interserve was once a FTSE 250 firm but has largely been broken up after collapsing into administration four years ago. Its latest accounts reveal that it spent £7m on ‘professional adviser fees’ following the attack.

Reference: Interserve Hit by Data Breach; 100,000 Employee Records Stolen
Reference: Cyber attack cost Interserve more than £11m
Incident: Norwegian Energy Company Investigating Cyberattack at Brazil Subsidiary

Norwegian energy services company Aker Solutions said a subsidiary company in Brazil has been subjected to a cyber attack on its IT systems.Aker Solutions said it does not yet know the full extent of the situation, and that a dialogue is being established with the authorities in Brazil about the incident.

In addition, its global IT organisation is working to resolve the situation with external expertise. "The attack is currently directed at CSE, and the attackers claim that they have entered the IT systems, encrypted digital files and locked access to data," said the company, led by chief executive Kjetel Digre.

CSE is a fully-owned Aker Solutions subsidiary with 450 employees in Brazil. Its main business is providing maintenance and modifications services to oil and gas installations offshore Brazil.

Victim: Aker Solutions / CSE

Norwegian energy services company Aker Solutions.

CSE is a fully-owned Aker Solutions subsidiary with 450 employees in Brazil. Its main business is providing maintenance and modifications services to oil and gas installations offshore Brazil. Aker Solutions also has a subsea manufacturing plant and service base in Brazil.

Reference: Aker Solutions working to solve cyber attack at its Brazil subsidiary
Incident: Encino Energy Says Operations Not impacted by Cyberattack

Major U.S. private natural gas and oil producer Encino Energy has disclosed that its operations were not impacted by a cyberattack, which it has already remediated, days after it was added by the ALPHV ransomware operation, also known as BlackCat, to its data leak site, reports The Record. Encino Energy spokesperson Jackie Stewart would not say if the cyberattack was a ransomware incident, if the company paid a ransom or if it had examined the 400GB of data on ALPHV's site. The post by the cybercrime group does not mention a dollar figure or a deadline for payment.

ALPHV had exposed 400 GB of data claimed to be stolen from Encino Energy, which is Ohio's primary oil producer, but company spokesperson Jackie Stewart refused to confirm the nature of the cyberattack and whether the demanded ransom was paid, as well as the veracity of the data leaked by the ransomware group.

Such an attack against Encino Energy comes after the ransomware gang's intrusions against two Luxembourg-based energy firms, as well as German oil companies Mabanaft and Oiltanking.

Victim: Encino Energy

Encino Energy, OH, is one of the largest private natural gas and oil producers in the U.S.

Reference: Ohio’s largest ​​oil producer says ‘no impact’ seen after cyberattack
Reference: Encino Energy claims ‘no impact’ from ALPHV ransomware attack
Reference: ‘Israel’s’ railroad network targeted by cyberattack: Israeli media
Incident: DDoS attack at Israel’s Largest Oil Refinery

The website of Israel’s largest oil refinery operator, BAZAN Group, became inaccessible to most parts of the world on Sunday due to a potential cyber attack. The website remained accessible from within Israel, possibly after imposition of a geo-block by BAZAN in an attempt to thwart an ongoing cyber attack. In a Telegram channel, Iranian hacktivist group Cyber Avengers has claimed responsibility and leaked what appear to be screenshots of BAZAN’s SCADA systems. The group states that it breached the petrochemicals giant via an exploit targeting a Check Point firewall at the company.

In a statement to BleepingComputer, a spokesperson for BAZAN has dismissed the leaked materials as "entirely fabricated." An Iranian hacktivist group called Cyber Avengers, also known as CyberAv3ngers, claim to have compromised BAZAN Group

Victim: BAZAN Group

The Haifa Bay-based BAZAN Group, formerly Oil Refineries Ltd., is Israel's largest oil refinery operator and generates over $13.5 billion in annual revenue and employs more than 1,800 people.

Reference: Israel’s largest oil refinery website offline after DDoS attack
Incident: Australian Infrastructure Services Provider Takes Down Systems

The Australian infrastructure services provider Ventia says a cyberattack on the weekend of July 8 and 9 is contained. The attack on the Sydney-headquartered essential infrastructure services provider caused it to take key systems offline. However, in a July 12 statement, Ventia says its key internal systems have been safely re-enabled and external-facing networks are systematically being restored. Ventia is giving little away about the nature of the cyberattack, but the company’s decision to shut down its systems is a characteristic response to a ransomware-style attack.

An APAC Analyst Technical Director at DarkTrace says some of Ventia’s systems were offline for at least three days and switching off services would significantly impact customers. “Ventia are an important pillar in the management of critical infrastructure. They operate sites across Australia and New Zealand on behalf of defence, electricity, gas, and water companies,”

Victim: Ventia

Ventia provides a range of services at 400-plus locations across Australia, including waste management, asset management, telecommunications, engineering services and environmental management services.

One of its biggest clients is the Western Australian government.

Reference: Ventia says Recent Cyberattack Contained, but Questions Unanswered
Reference: Cyber Incident
Reference: Australian infrastructure company Ventia hit with cyberattack
Incident: Unknown Actor Targets South African Power Generator

Researchers have uncovered a suspected cyberattack targeting a power generator in southern Africa with a new variant of the SystemBC malware. The attack was carried out by an unknown hacker group in March of this year, according to a report by cybersecurity firm Kaspersky. The hackers used a Cobalt Strike tool and DroxiDat — a new variant of the SystemBC payload — to profile compromised systems and establish remote connections on the electric utility.

No ransomware was delivered to the organization, however.

Reference: Unknown Actor Targets Power Generator with DroxiDat and Cobalt Strike
Reference: Southern African power generator targeted with DroxiDat malware
Incident: China linked-Hackers Breach Power Grid in undisclosed Asian country

Symantec revealed that a Chinese hacker group with connections to APT41, which Symantec is calling RedFly, breached the computer network of a national power grid in an Asian country—though Symantec has declined to name which country was targeted. The breach began in February of this year and persisted for at least six months as the hackers expanded their foothold throughout the IT network of the country's national electric utility, though it's not clear how close the hackers came to gaining the ability to disrupt power generation or transmission.

Signs suggest the culprits worked within a notorious Chinese hacker group that may have also hacked Indian electric utilities years earlier.

Victim: Undisclosed – Energy sector

Undisclosed - Energy sector

Reference: China-Linked Hackers Breached a Power Grid—Again
Incident: Cyberattack Suspends Clinical Activity in Madeira Health Service

Cyberattack forces suspension of clinical activity in the Madeira Health Service. Non-urgent clinical activity will be suspended on Monday.
The Madeira Health Service (SESARAM) was the target of a cyber attack that caused a “dysfunction in its computer network”, said the institution, informing that non-urgent clinical activity will be suspended on Monday 7 August. The institution stated: "All non-urgent clinical activity will be suspended for the day tomorrow [Monday, August 7]." This includes consultations, scheduled surgeries and clinical analyzes and complementary means of diagnosis.

The attack compromised compromised the personal data of more than 250,000 Madeirans and 10,000 foreigners. Although there is no ransom demand for the information, the attack has already been claimed by the Rhysida group.

Victim: Madeira Health Service (SESARAM)

Island of Madeira, Portugal Health Service organization

Reference: Cyberattack forces suspension of clinical activity in the Madeira Health Service
Incident: 16 Hospitals of Prospect Medical Holdings Impacted by Ransomware Attack

The 16 hospitals run by Prospect Medical Holdings are still recovering from a ransomware attack announced last Thursday that caused severe outages at facilities in four states. Several of the hospitals were forced to divert ambulances to other healthcare facilities, cancel appointments and close smaller clinics while the parent company dealt with the attack. The incident has drawn national headlines due to how widespread it is, covering healthcare facilities in multiple states.

While the FBI and the U.S. Department of Health and Human Services (HHS) declined to comment on the perpetrators, HHS published a warning to all hospitals on Friday about Rhysida, noting that it was a relatively new ransomware-as-a-service (RaaS) group that emerged in May.

Victim: Prospect Medical Holdings, Inc

Prospect owns and operates 16 hospitals and more than 165 clinics and outpatient centers, with primary operations in California, Connecticut, Pennsylvania, Rhode Island and Texas.

Reference: Prospect Medical hospitals still recovering from ransomware attack
Incident: Italtel Cyberattack Claimed by Medusa

On Monday 25 September, the Italian company Italtel was the victim of a cyber attack. The cyber attack impacted Italtel's IT infrastructure, limiting access and use of some company systems. The situation continues to evolve. The Italtel affair adds to the many IT incidents involving large Italian companies.
Italtel has already started communicating with its customers and suppliers about the cyber attack. Any subsequent interactions will be managed by the competent figures within the company.

The Medusa ransomware criminal gang claims the ransomware attack, Italtel has as of today not confirmed the attack. Italtel's target markets are Telco & Media, Industry & Manufacturing, Energy & Transportation, Banking & Insurance, Healthcare and Public Administration.

Reference: Italtel Suffers a Cyber ​​Attack: What We Know So Far
Victim: Italtel Ltd

Italtel Ltd. is an Italian telecommunications equipment and ICT company founded in 1921, originally as a branch of Siemens AG.

Reference: Johnson Controls Hit In Cyberattack
Incident: DoDDS Attack at Russian Flight Booking System, Leonardo, Disrupts Airport Operations

A Russian flight booking system was hit by a cyberattack on Thursday, causing delays at airports. The incident lasted about an hour and affected the operation of several Leonardo customers, including Russian air carriers Rossiya Airlines, Pobeda and flagship airline Aeroflot. DDoS attacks overwhelm websites with a flood of traffic, making them temporarily unavailable to users.

Leonardo is used by more than 50 Russian carriers and serves around 45 million passengers annually, according to the Russian news agency Interfax.

Victim: Leonardo

Russian flight booking system used by more than 50 Russian carriers, serving around 45 million passengers annually. Customers include including Russian air carriers Rossiya Airlines, Pobeda and flagship airline Aeroflot.

Threat Actor: IT Army

Ukrainian hacktivist group

Reference: Russian flight booking system suffers ‘massive’ cyberattack
Incident: Network Monitoring Company Users Affected by Hacking Campaign

Network monitoring company LogicMonitor confirmed today that some users of its SaaS platform have fallen victim to cyberattacks.
The company says that the hacking campaign has hit what it describes as a "small number" of users and is working with those affected to mitigate the attacks' impact.

While LogicMonitor did not confirm that ransomware attacks hit its affected customers, anonymous sources familiar with the incidents told BleepingComputer that the threat actors hacked customer accounts and "were able to create local accounts and deploy ransomware."

Victim: LogicMonitor

LogicMonitor / LM Envision is a SaaS-based cloud platform

Reference: LogicMonitor customers hacked in reported ransomware attacks
Incident: Travel Booking Giant Sabre Investigating Claims of a 1.3TB Data Breach

Travel booking giant Sabre said it was investigating claims of a cyberattack after a tranche of files purportedly stolen from the company appeared on an extortion group’s leak site. The Dunghill Leak group claimed responsibility for the apparent cyberattack in a listing on its dark web leak site, alleging it took about 1.3 terabytes of data, including databases on ticket sales and passenger turnover, employees’ personal data and corporate financial information.

Sabre is a travel reservation system and major provider of air passenger and booking data. Many U.S. airlines and hotel chains rely on the company’s technology.

Victim: Sabre

Sabre is a travel reservation system and major provider of air passenger and booking data, whose software and data is used to power airline and hotel bookings, check-ins and apps. Many U.S. airlines and hotel chains rely on the company’s technology.

Reference: Ransomware gang claims credit for Sabre data breach
Incident: Paralyzing Cyberattack Hits Danish Cloud Service Companies

CloudNordic has told customers to consider all of their data lost following a ransomware infection that encrypted the large Danish cloud provider's servers and "paralyzed CloudNordic completely," according to the IT outfit's online confession. The hackers shut down all of CloudNordic's systems, wiping both company and customers' websites and email systems, even the backups and production data were trashed. CloudNordic isn't prepared, nor able, to pay a ransom, presumably to restore the information and systems. CloudNordic says its "best estimate" is that the infection happened as servers were being moved from one datacenter to another.

Customers with Azero are also affected. CloudNordic and Azero are owned by Denmark-registered Certiqa Holding, which also owns Netquest, a provider of threat intelligence for telcos and governments.

Reference: Devastating ransomware attack hits Danish cloud hosting companies CloudNordic and AzeroCloud
Victim: CloudNordic & Azero owned by Certiqa

CloudNordic and Azero are owned by Denmark-registered Certiqa Holding, which also owns Netquest, a provider of threat intelligence for telcos and governments. CloudNordic offers Resellers a complete Cloud Computing platform and portfolio

Reference: Criminals go full Viking on CloudNordic, wipe all servers and customer data
Incident: Medusa Ransom Group Hacks into Gujarat Mining Company Demanding $500K Ransom

A ransomware gang breached the Gujarat Mineral Development Corporation (GMDC) data network on April 1. The ransomware gang called ‘Medusa’, first published on its blog, ‘Medusa Blog’ on March 23, privy to hacker networks, that they were in possession of several GBs of sensitive data belonging to GMDC’s office in Ahmedabad and had compromised the ‘admin’ of the network. Medusa ransomware demanded $500,000 as ransom by April 1, from GMDC to decrypt the documents.

The Medusa ransomware gang took control of administrator rights, and allegedly had access to Office365 users’ emails including the attached documents. There were lists of corporate business clients with whom GMDC is in business, maintenance contracts for a power plant, several tender documents, infrastructure evaluation report conducted by Schneider Electric for GMDC, several IP addresses of employees and their devices, employees’ personal details.

Victim: Gujarat Mineral Development Corporation – GMDC

Indian government operated mining company.

Reference: Notorious Medusa ransomware: Gang seeks $500,000 from GMDC
Incident: $1M Ransom Demanded of Auckland Transport

The Auckland Transport (AT) transportation authority in New Zealand is dealing with a widespread outage caused by a cyber incident, impacting a wide range of customer services. The company announced that it is experiencing issues with its HOP services (integrated ticketing and fares system).

Auckland Transport dismissed a claim by Medusa hacker group, that it will release data at 8pm Tuesday from the agency’s ticketing system. AT said it would not be engaging, and believed no financial data had been lost.

Threat Actor: Medusa

This ransomware gang launched in 2021 but saw a significant spike in malicious activity in 2023.

Reference: Auckland transport authority hit by suspected ransomware attack
Victim: Auckland Transport

Auckland Transport is responsible for Auckland's transport services excluding state highways. From roads and footpaths to cycling parking and public roads.

Reference: Hackers offer stolen Auckland Transport data for sale on dark web
Incident: UK based KNP Logistics Business Shuts Down: 700 Jobs lost

KNP Logistics Group will be forced to make over 700 employees redundant. According to the administrators, a “major ransomware attack … affected key systems, processes and financial information. This adversely impacted on the financial position of the Group and ultimately, its ability to secure additional investment and funding.” The incident is a rare public example of the existential threat that experts warn ransomware can pose to businesses.

Only the group’s Nelson Distribution business will survive after being sold, saving 170 jobs. KNP was formed out of a 2016 merger between Nelson Distribution and Knights of Old, a haulage business that dated back to 1865. The group was originally compromised in June 2023 by the Akira ransomware collective. However, it’s unclear whether it was able to access a decryptor for the ransomware released by Avast in July.

Victim: KNP Logistics Group

KNP Logistics Group is one of the UK’s largest privately owned logistics firms. KNP was formed out of a 2016 merger between Nelson Distribution and Knights of Old, a haulage business that dated back to 1865.

Reference: UK logistics firm blames ransomware attack for insolvency, 730 redundancies
Reference: UK Logistics Firm Forced to Close After Ransomware Breach
Incident: Massive Ransomware Attack at Johnson Controls

Johnson Controls International suffered a massive ransomware attack. The attack encrypted many of the company devices, including VMware ESXi servers, impacting the company’s and its subsidiaries’ operations. Johnson Controls shut down portions of its IT systems over the weekend. After which many of its subsidiaries, including York, Simplex, and Ruskin, begun to display technical outage messages on website login pages and customer portals.

Cost of the attack to the company was $27 million.

Customers of York report that they are told the company’s systems are down. "Their computer system crashed over the weekend. Manufacturing and everything is down," a York customer posted to Reddit. "I talked to our rep and he said someone hacked them," posted another customer. This morning, Nextron Systems threat researcher Gameel Ali tweeted a sample of a Dark Angels VMw. BleepingComputer reports the ransom note links to a negotiation chat where the ransomware gang demands $51 million to provide a decryptor and to delete stolen data. The threat actors also claim to have stolen over 27 TB of corporate data and encrypted the company's VMWare ESXi virtual machines during the attack.

BleepingComputer reports that the Linux encryptor used in the Johnson Controls attack is the same as ones used by Ragnar Locker since 2021. They contacted Johnson Controls with questions regarding the attack but has not received a response.

Victim: Johnson Controls

Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, air conditioners, and fire safety equipment. The company employs 100,000 people through its corporate operations and subsidiaries, including York, Tyco, Luxaire, Coleman, Ruskin, Grinnel, and Simplex.

Threat Actor: Dark Angels

Dark Angels is a ransomware operation launched in May 2022 when it began targeting organizations worldwide. Like almost all human-operated ransomware gangs, Dark Angels breaches corporate networks and then spreads laterally through the network. During this time, the threat actors steal data from file servers to be used in double-extortion attacks.

When they gain access to the Windows domain controller, the threat actors deploy the ransomware to encrypt all devices on the network. The threat actors initially used Windows and VMware ESXi encryptors based on the source code leak for the Babuk ransomware. However, cybersecurity researcher MalwareHunterTeam tells BleepingComputer that the Linux encryptor used in the Johnson Controls attack is the same as ones used by Ragnar Locker since 2021.

Reference: Building automation giant Johnson Controls hit by ransomware attack
Incident: National Science Foundation Shuts down Telescopes in Hawai’i and Chile

A U.S. national center for astronomy was struck with a cyberattack this week that hindered the operations of an observatory in Hawai'i and Chile.

The National Science Foundation’s National Optical-Infrared Astronomy Research Laboratory – also known as NOIRLab – published a notice on Tuesday night explaining that the lab had discovered an attempted cyberattack on its systems that morning. The attack forced the “suspension of astronomical observations at Gemini North in Hawai'i.” Located in Maunakea, Gemini North is one of the Gemini Observatory's two telescopes, with the other in Chile, and is an international science partnership between the U.S., Canada, Chile, Brazil, Argentina and South Korea.

“Quick reactions by the NOIRLab cyber security team and observing teams prevented damage to the observatory. Out of an abundance of caution we have decided to isolate the Gemini Observatory computer systems by shutting them down,” the organization said. Both the telescopes in Hawai'i and in Cerro Pachón, Chile have been shut down as the IT team investigates the incident and “develops the recovery plan in consultation with NSF’s cyber specialists.”

The lab did not say if the incident was a ransomware attack but said it had no impact on the infrastructure of other NOIRLab centers.

Victim: NOIRL National Optical-Infrared Astronomy Research Laboratory

National Science Foundation’s National Optical-Infrared Astronomy Research Laboratory

Reference: Hawai’i’s Gemini North observatory suspends operations following cyberattack
Incident: Belt Railway Company Investigates Data Theft

The largest switching and terminal railroad in the U.S. is investigating the theft of data by a ransomware group. Operating about 28 miles of railroads, the company allows its owners to bring their trains to the headquarters where they are separated and reorganized. They also provide services to more than 100 local manufacturing companies that ship products across North America.

On Thursday evening, the Akira ransomware gang added the company to its leak site, claiming to have stolen 85 GB of data.

Christopher Steinway, general counsel of Belt Railway, told Recorded Future News that it recently became aware that “a threat actor group posted on its website that it had obtained certain company information.”

“The event did not impact our operations. We have engaged a leading cybersecurity firm to investigate the incident and are working with federal law enforcement,” Steinway said.

“Our investigation remains ongoing.”

Threat Actor: Akira Ransomware Gang

The Akira ransomware gang emerged in March 2023 and has since compromised at least 63 victims, including the government of Nassau Bay in Texas; Bluefield University; a state-owned bank in South Africa; major foreign exchange broker London Capital Group; and Yamaha’s Canadian music division.

Victim: Belt Railway Company of Chicago

The Belt Railway Company of Chicago — based in Bedford Park, Illinois — is co-owned by six railroad companies in the U.S. and Canada, each of which uses the company’s switching and interchange facilities.

Reference: Largest switching and terminal railroad in US investigating ransomware data theft
Incident: Unnamed US Energy Company Targeted with QR code Phishing Campaign

Cybersecurity researchers uncovered a large phishing campaign using malicious QR codes with the hopes of acquiring Microsoft credentials at several targets, including a major U.S. energy company.

QR codes have become widely adopted since the onset of the COVID-19 pandemic, with thousands of restaurants and businesses replacing physical menus and guides with the machine-readable images that pull up webpages containing the same information. But hackers have been quick to exploit the trend, launching campaigns that spread fake QR codes to steal user information.

Cybersecurity firm Cofense released a new report on Wednesday identifying a campaign that began in May targeting a wide array of industries. The hackers sent thousands of emails containing malicious QR codes to companies, which took users to a Microsoft credential phishing page. The author of the report declined to name the energy company that was attacked but said that about 29% of the emails they tracked as part of the campaign were sent to the energy company.

Reference: Phishing campaign used QR codes to target large energy company
Incident: Data Breach at Medical Food Home Delivery Service Affects 1.2M people.

PurFoods, a U.S. producer of medically-tailored home-delivered meals, disclosed a data breach affecting over 1.2 million people. The incident occurred in January but was not discovered until February, the company said. Customers were notified late last week that their data had been compromised. PurFoods also notified federal law enforcement about the incident.

During the investigation, which is still ongoing, the company found out that certain files in its network were encrypted. It also identified the presence of tools that could be used for data exfiltration, adding that it’s possible that data was stolen from one of its file servers.

Victim: PurFoods

PurFoods partners with health plans, managed care organizations, and government agencies to offer meals to people enrolled in Medicare and Medicaid health programs, as well as those who pay for the service themselves. PurFoods customers include seniors, high-risk patients and people who are permanently or temporarily disabled.

Reference: US food delivery service PurFoods discloses data breach
Incident: Polish Railways Hack Paralyzed Freight and Passenger Trains

Poland's national railway’s communications network attack halted 20 trains across the country and paralyzed traffic for hours over the weekend, according to Poland’s railway infrastructure operator. The suspects, who are Polish citizens aged 24 and 29, were arrested near the border with Belarus. RMF radio reported that one of the suspects is allegedly a police officer in Bialystok. On Tuesday, Polish police announced the suspension of one of its officers in the area, but gave few additional details.

The saboteurs were able to paralyze the trains — both freight and passenger — across the country by simply sending “stop” commands via radio frequency to the trains they targeted. The attackers also played the Russian national anthem and parts of a speech by Russian president Vladimir Putin on the railway’s radio. Polish trains use a radio system that lacks encryption or authentication, making them vulnerable to such hacks.

Victim: Poland Railway System

Polish Railways

Reference: Two suspects arrested following Poland railway hack
Incident: Ransomware Attack at Sri Lanka Government Wipes Months of Data

Sri Lanka’s government email network was hit by a ransomware attack that wiped months of data from thousands of email accounts, including ones belonging to top government officials, authorities confirmed on Monday. The attack, which started at the end of August, affected nearly 5,000 email addresses using the email domain. The victims include Sri Lanka’s council of ministers which forms the central government of the country.

The targeted system, Lanka Government Cloud (LGC), was encrypted along with backups of the system. Although officials were able to restore LGC within 12 hours of the attack, they didn’t have backups from May 17 to August 26, so all affected accounts lost data from that period, according to Mahesh Perera, the head of Sri Lanka’s Information and Communication Technology Agency (ICTA).

Perera told media outlets that the Sri Lankan government doesn’t plan to negotiate with the attackers or pay any ransom to retrieve the lost data. The agency did not respond to a request for comment.

Victim: Sri Lanka Goverment

Sri Lanka Government

Reference: Sri Lankan government loses months of data following ransomware attack
Incident: Airbus IT System Breach Exposes Data from Thousands of Airbus Vendors

The European aerospace giant Airbus said on Tuesday that it is investigating a cybersecurity incident following reports that a hacker posted information on 3,200 of the company’s vendors to the dark web. A threat actor using the moniker "USDoD" posted Monday on BreachForums that they obtained access to an Airbus web portal after compromising the account of a Turkish airline employee. The hacker claimed to have details on thousands of Airbus vendors, including names, addresses, phone numbers and emails, according to a report from Hudson Rock.

Airbus spokesperson Philippe Gmerek confirmed to Recorded Future News that hackers breached an “IT account associated with an Airbus customer” and that the company was investigating the incident. This account was used to download business documents dedicated to this customer from an Airbus web portal, the company said.

According to the Hudson Rock, the threat actor posted the leaked information publicly without making any demands. Few details are known about the threat actor or their motivations, but they have said they are a member of the relatively new ransomware group known as “Ransomed.”

Victim: Airbus

Airbus is the world's largest manufacturer of airliners as well as the leading helicopter manufacturer

Reference: Airbus investigates data leak allegedly involving thousands of suppliers
Incident: Ransomware Attack at US-Canada Water Management Organization.

International Joint Commission (IJC), the organization tasked with managing the lake and river systems along the border between the U.S. and Canada for the last hundred years, announced Wednesday that it experienced a cyberattack following reports that ransomware hackers claimed to have stolen reams of data.

The NoEscape ransomware gang claimed it attacked the organization — which has offices in Washington, D.C., Ottawa and Windsor — and stole 80 GB of contracts, geological files, conflict of interest forms and more. The gang gave the IJC 10 days to respond to their demand for a ransom. The group did not say how much money it was demanding to unlock the files. IJC did not respond to requests for comment about whether a ransom would be paid.

This week, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it would be offering drinking water and wastewater systems free vulnerability scanning services. Water systems can get weekly automated scans that will provide a report on known vulnerabilities found on internet-accessible assets, week-to-week comparisons, and mitigations.

Reference: US-Canada water org confirms ‘cybersecurity incident’ after ransomware crew threatens leak
Threat Actor: NoEscape ransomware gang

NoEscape is a ransomware-as-a-service operation that appeared in May 2023 and takes a double-extortion approach. That means instead of simply infecting victims' machines with malware, encrypting their files and demanding a ransom to release the data, the crooks first steal the files before locking them up. They threaten to leak the information, as well as withhold the decryption keys, if the victims don't pay the ransom.

NoEscape operators do not target organizations based in the former Soviet Union. This is a similar MO to other ransomware groups, such as the now-defunct Conti and Black Basta, which also avoid infecting Russian companies and government agencies. The gang is believed to be a rebrand of Avaddon – another ransomware crew that shut down and released its decryption keys in 2021, according to Bleeping Computer.

NoEscape hackers have taken credit for attacks on Germany’s bar association and Hawaiʻi Community College as well as Australian companies, a hospital in Belgium, a manufacturing company in the US and another manufacturing company in the Netherlands.

Victim: International Joint Commission (IJC)

The International Joint Commission (IJC) — guided by the 1909 Boundary Waters Treaty signed by both countries — approves projects that affect the water levels and flows across the border, investigates transboundary issues and offers solutions (Canada/USA)

Reference: US-Canada water commission investigating cyberattack
Incident: Operations Impacted at Americold after Network Breach

Atlanta-based Cold storage giant Americold was hit with a cyberattack according to filings with the Securities and Exchange Commission. On April 26, the company “began to receive evidence that its computer network was affected by a cybersecurity incident,” it wrote in the SEC filing. “The Company immediately implemented containment measures and took operations offline to secure its systems and reduce disruption to its business and customers.”

“The Company is taking action to resume normal operations at impacted facilities so that it can continue to support customers,” it wrote. “The Company will continue to take appropriate measures to further safeguard the integrity of its information technology infrastructure, data and customer information.”

Reference: Cold storage giant Americold outage caused by network breach
Reference: Cold storage company Americold reports cyberattack to SEC
Incident: US Largest Freight Transportation Companies Impacted by ORBCOMM Software Outage

New Jersey-based ORBCOMM, one of the biggest providers of software for the trucking industry, acknowledged a ransomware attack after reports emerged of issues that customers had with its products.
An ORBCOMM executive confirmed the attack to Recorded Future News but would not say which ransomware group was behind the incident or whether a ransom would be paid.Trucking and fleet management solutions provider ORBCOMM has confirmed that a ransomware attack is behind recent service outages preventing trucking companies from managing their fleets.

ORBCOMM is a solutions provider for freight companies to manage fleets and track transported assets. The company also provides Electronic Logging Devices (ELD) that truckers use to log their hours to adhere to federal safety regulations. The department granted an extension to all carriers using ELD models from ORBCOMM, allowing drivers to use paper logs while the system is down. Outage has impacted some of the country's largest freight transportation companies as they cannot track their fleets and inventory.

Reference: ORBCOMM ransomware attack causes trucking fleet management outage

An American company that offers industrial internet and machine to machine (M2M) communications hardware, software and services designed to track, monitor, and control fixed and mobile assets in markets including transportation, heavy equipment, maritime, oil and gas, utilities and government.

American company that offers industrial internet and machine to machine (M2M)[1] communications hardware, software and services designed to track, monitor, and control fixed and mobile assets in markets including transportation, heavy equipment, maritime, oil and gas, utilities and government.

The company provides hardware devices, modems, web applications, and data services delivered over multiple satellite and cellular networks.

Reference: Major trucking software provider confirms ransomware incident
Reference: Alert – Distributed Denial of Service campaign targeting multiple Canadian sectors
Incident: DDoS Attack at Bordercheck Point in Canada

A cyberattack suspected to be carried out by a pro-Russia hacking group reportedly resulted in widespread service disruptions at several Canadian airports. The Canada Border Services Agency (CBSA) confirmed to Recorded Future News that the connectivity issues that affected check-in kiosks and electronic gates at airports last week are the result of a distributed denial of service (DDoS) attack. Such attacks work by flooding systems with junk traffic, disrupting their operations. CBSA's spokesperson said that they had restored all systems within a few hours. The Montreal Airport Authority (ADM) told the Canadian newspaper La Presse that a computer outage at check-in kiosks caused significant delays in the processing of arrivals for over an hour at border checkpoints throughout the country, including Montreal-Trudeau International Airport.

CBSA has not disclosed how a DDoS attack managed to breach the computer system used by check-in kiosks at airports. This system is supposed to be on a closed circuit, meaning it should not be connected to the internet, La Presse reported. CBSA did not respond to request to comment.

Victim: Canada Border Services Agency (CBSA)

Canada Border Services Agency (CBSA)

Reference: Canada blames border checkpoint outages on cyberattack
Incident: Data Breach at Air Canada Involved Employee Information

Canada’s largest airline announced a data breach this week that involved the information of employees, but said its operations and customer data was not impacted. “An unauthorized group briefly obtained limited access to an internal Air Canada system related to limited personal information of some employees and certain records. Flight operations systems and customer facing systems were not affected,” the company said.

“No customer information was accessed. We have contacted parties whose information has been involved as appropriate, as well as the relevant authorities. All our systems are fully operational.”
The company added that it worked with cybersecurity experts to further lockdown its systems following the incident. (The announcement came on the same day that a cyberattack suspected to be carried out by a pro-Russia hacking group reportedly resulted in widespread service disruptions at several Canadian airports.)

UPDATE: October: BianLian extortion group claims recent Air Canada breach

Reference: Air Canada says hackers accessed limited employee records during cyberattack
Victim: Air Canada

Air Canada, Canada’s largest airline.

Reference: Marine industry giant Brunswick Corporation lost $85 million in cyberattack, CEO confirms
Reference: Clorox reports production issues after August cyberattack
Incident: MOVEit Campaign Continues Affecting <900 Schools in Almost Every US State.

U.S. educational nonprofit National Student Clearinghouse (NSC) has disclosed a data breach affecting 890 schools using its services across the United States. Attackers gained access to its MOVEit managed file transfer (MFT) server on May 30 and stole files from nearly 900 colleges and universities across the U.S. The stolen information includes personally identifiable information such as Social Security numbers and dates of birth.

The attack on NSC was one of several involving MOVEit that had wide-ranging downstream effects.

Victim: National Student Clearinghouse (NSC)

U.S. educational nonprofit National Student Clearinghouse (NSC)

Reference: National Student Clearinghouse data breach impacts 890 schools
Reference: September 25th, 2023 News Cybercrime Industry Get more insights with the Recorded Future Intelligence Cloud. Learn more. MOVEit fallout continues as National Student Clearinghouse says nearly 900 schools affected
Incident: KIA Motors GA Plant Hit in Cyber Incident

A cybersecurity incident shut down manufacturing at the KIA Motors West Point, Georgia facility earlier this month.
While KIA addressed the problem in a day, manufacturing ground to a halt September 6 when shifts, and deliveries ended up disrupted. A KIA spokesperson confirmed some details related to the cybersecurity issue.
“Kia Georgia was alerted by a supplier of a cybersecurity issue that has resulted in a disruption to our regular production schedule. Kia Georgia is working closely with the supplier to minimize impact and anticipates a prompt return to normal operations,” said Patrick Sands, a spokesperson with KIA.
It appears the auto manufacturer and other auto suppliers, who operate on the same software system, ended up hacked by cyber pirates who demanded a ransom to restore data and service.

Reference: Cyber Incident Disrupts KIA Manufacturing
Incident: Zaun, a Fencing Supplier, Suffers Ransomware Attack

Fencing products maker, UK-based Zaun, suffered a ransomware attack by the LockBit attack group which started leaking information it purloined from the hack.
The West Midlands, UK company supplies some of the UK’s key military installations.
LockBit’s data release included sales orders relating to Porton Down research unit in Wiltshire and the Faslane nuclear submarine base in Scotland. It also mentions details of equipment used at GCHQ’s Bude satellite ground station and network monitoring site.

Reference: UK Fencing Supplier Hit In Ransomware Attack
Victim: Zaun

Fencing products maker, West Midlands, UK-based Zaun, supplies some of the UK’s key military installations.

Incident: Inside Job: Tesla Suffers Data Breach

Two former Tesla workers released confidential information regarding over 75,000 people to a German media outlet this past May.
The breach occurred May 10 and Tesla took immediate action to quell the breach and make sure information did not release.
The auto giant said in a statement to its customers:
“At Tesla, we take data privacy and security seriously— so we are writing to tell you about a data incident that involved your information. While we have not identified evidence of misuse of the data in a manner that may cause harm to you, we are nonetheless providing you with this notice to ensure that you are aware of what happened and the measures we have taken."

Reference: Tesla Suffers Data Breach From Disgruntled Ex-Workers
Victim: Tesla

Tesla, Inc. is an American multinational automotive and clean energy company headquartered in Austin, Texas. Tesla designs and manufactures electric vehicles, stationary battery energy storage devices from home to grid-scale, solar panels and solar shingles, and related products and services.

Incident: Ransomware Attack Against Montreal Utility

A 100-year-old municipal organization that manages electrical infrastructure in the city of Montreal suffered a ransomware attack at the hands of the Lockbit criminal group.
Commission des services electriques de Montréal (CSEM) suffered the attack at the hands of the ransomware gang called Lockbit this past Wednesday which said it “added Commission des services electriques de Montreal to their victim list.”
The electric provider said in an advisory it was hit with ransomware on August 3 but refused to pay the ransom.

Reference: Montreal Utility Hit In Ransomware Attack
Victim: Commission des services electriques de Montréal (CSEM)

A 100-year-old municipal organization that manages electrical infrastructure in the city of Montreal.

Incident: Limited Operational Impact after Cyberattack at Copper Mining Company FCX

Copper mining company Freeport-McMoRan (FCX) suffered a cyber attack that hit its information technology systems and caused limited impact to its operations. Phoenix, Arizona-based FCX said “the company is assessing the impact and proactive measures are being taken to address the situation. The company is working closely with third-party experts and law enforcement.

“To date, there has been limited impact on production. Transitional solutions are being planned and implemented to secure information systems as quickly as possible.

Victim: FCX (Freeport-McMoRan)

Arizona based mining company Freeport-McMoRan (FCX) operates large, long-lived, geographically diverse assets with significant proven and probable reserves of copper, gold and molybdenum.

FCX is one of the world’s largest publicly traded copper producers.

Reference: Copper Mining Firm Hit In Attack
Reference: Rapattoni reportedly restores service to its NorCal MLS network
Incident: Rapattoni Cyber Attack has Significant Financial Impact on Real Estate Sector

August 8 Rapattoni cyberattack on NorCal MLS provider drags on for > 14th days. Rapattoni says “certain essential components” missing to restore service. This is said to be the longest-running cyberattack on an MLS.

Real estate agents are unable to track property online as the information on listing websites was not updated, and buyers could not discover new houses. Subsequently, fewer buyers showed up for open houses, reducing competition for available houses and affecting their prices. Some realtors resorted to manual systems and old-school real estate marketing tactics like cold-calling buyers or passing flyers, while others started sharing property information on social media.

Rapattoni did not confirm if a ransom was paid.

Victim: Rapattoni

Northern California MLS provider (Real Estate)

Reference: Cyberattack on NorCal MLS provider drags on for 14th day
Reference: Real estate agents resort to manual systems after the Rapattoni cyber attack
Incident: Independent Businesses Suffer Big Hit as Result of Cyberattack on Swan Retail IT Firm

Up to 300 independent retailers have been left unable to process stock after being hit by a cyber attack at fullfilment software supplier Swan Retail. The attack took place on Sunday (13 August).

Independents told Drapers that their businesses have taken a big hit since the attack as they struggled to replenish stock in-store or fulfill online orders. Some have also had to delay bringing in new autumn/winter collections as a result.

Victim: Swan Retail

IT supplier Swan Retail works with around 300 independents retailers in sectors including fashion, homeware, sports, catering and garden centres in the UK

Reference: Indies ‘in standstill’ after cyber attack hits IT supplier
Reference: Exclusive: 300 independent retailers affected by cyber attack
Incident: Wide-ranging Ransomware Attack Takes Down Local County Government in Alabama

The local government of George County, Alabama was thrown into chaos this weekend when ransomware actors used a discrete phishing email to gain deep access to the county’s systems. The ransomware attack took down nearly all of the government’s in-office computers.

The attack is the latest in a string of incidents affecting counties across the U.S., including ones in Delaware, California, South Carolina, New Jersey and Oregon as well as major metropolitan areas like Oakland and Dallas. Ransomware groups have shown little preference, targeting both small counties and large ones alike. The second quarter of 2023 saw 59 attacks, far above the 51 seen in the second quarter of 2022.

Victim: George County, Alabama

Local government of George County, Alabama

Reference: ‘It feels like a digital hurricane’: Coastal Mississippi county recovering from ransomware attack
Incident: MOVEit Transfer data breach at Zellis affect

UK payroll and HR solutions provider Zellis suffered a data breach due to MOVEit attacks. "A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software's MOVEit Transfer product," Zellis told BleepingComputer in a statement on June 7. "We confirm that a small number of our customers have been impacted and we are actively working to support them. Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate. We have also notified the ICO, DPC, and the NCSC in both the UK and Ireland."

Additional information, 23AUG23:
On June 6th, 2023, the notorious Russian-affiliated ransomware group, Clop, claimed responsibility for an attack that targeted Progress Software’s MOVEit transfer tool. This corporate file-sharing solution has an extensive customer base in the United States. Organizations use MOVEit for secure file transfers; it’s essentially a more jazzed-up, professional version of popular file-sharing tools like Dropbox. In May 2023, cybercriminals at Clop uncovered a previously unknown vulnerability in MOVEit, which they began exploiting. Up to 130 organizations suffered from downstream impacts when the vulnerability in MOVEit enabled Clop hackers to gain access to their IT environment and steal sensitive data.

Reference: The MOVEit hack and what it taught us about application security
Reference: Clop ransomware claims responsibility for MOVEit extortion attacks
Victim: Zellis

Payroll service provider

Incident: BBC Victim of MOVEit Software Hack at Payroll Service Provider Zellis

British Airways (BA), the BBC, Ofcom and Boots were among a number of organisations that were reportedly victims of a major recent cyber-attack, resulting in the breach of numerous staff details. The stolen data is said to include staff names, staff ID numbers and national insurance numbers (although, importantly, not banking details). The recent attack was against a piece of software called Moveit, which is used to transfer computer files from one location to another. It involved what’s called a “zero-day exploit”, a piece of computer code that takes advantage of a previously unknown vulnerability. This allowed hackers to compromise Zellis, a trusted supplier of services to BA, the BBC, Boots and others. Zellis confirmed a “small number” of customers had been affected, adding that it had disconnected the server using Moveit as soon as it became aware of the incident.

Since Zellis is the main payroll service provider to these organisations, it is easy to trace how this incident started. Responsibility for the attack was claimed by the Russia-linked “cl0p” group, which has since issued an ultimatum to the affected organisations – asking for money unless they want the stolen data to be released on the dark web.

Reference: BBC, British Airways among big-name victims in MOVEit software hack
Incident: Boots also Victim MOVEit Software Hack at Zellis

British Airways (BA), the BBC, Ofcom and Boots were among a number of organisations that were reportedly victims of a major recent cyber-attack, resulting in the breach of numerous staff details.

The stolen data is said to include staff names, staff ID numbers and national insurance numbers (although, importantly, not banking details). But, other than for those personally affected, the real issue is what this attack reveals about the evolution of cybercrime.

Incident: British Airways also Breached by MOVEit Software Hack (Zellis)

British Airways (BA), the BBC, Ofcom and Boots were among a number of organisations that were reportedly victims of a major recent cyber-attack, resulting in the breach of numerous staff details. The stolen data is said to include staff names, staff ID numbers and national insurance numbers (although, importantly, not banking details).

The recent attack was against a piece of software called Moveit, which is used to transfer computer files from one location to another. It involved what’s called a “zero-day exploit”, a piece of computer code that takes advantage of a previously unknown vulnerability.
This allowed hackers to compromise Zellis, a trusted supplier of services to BA, the BBC, Boots and others. Zellis confirmed a “small number” of customers had been affected, adding that it had disconnected the server using Moveit as soon as it became aware of the incident.

Since Zellis is the main payroll service provider to these organisations, it is easy to trace how this incident started. Responsibility for the attack was claimed by the Russia-linked “cl0p” group, which has since issued an ultimatum to the affected organisations – asking for money unless they want the stolen data to be released on the dark web.

Reference: Update: Boots issued ultimatum by Russian hackers who stole employee data
Reference: (Zellis) Press statement on MOVEit Transfer data breach
Victim: Boots

Boots, a British health and beauty retailer and pharmacy chain in the United Kingdom and operates also internationally including Ireland, Italy, Norway, the Netherlands, Malta, Thailand and Indonesia.

Victim: BBC

BBC - The British Broadcasting Corporation is a British public service broadcaster headquartered at the Broadcasting House in London

Reference: BBC, British Airways among big-name victims in MOVEit software hack
Victim: British Airways

British Airways (BA) is the flag carrier of the United Kingdom. It is headquartered in London, England, near its main hub at Heathrow Airport.

Reference: Moveit hack: attack on BBC and BA offers glimpse into the future of cybercrime
Reference: MOVEit Data Incident: What You Need to Know
Incident: First Merchant Bank also Confirmed Databreach as Result of MOVEit Hacks

Indiana-based banking giant First Merchants Bank, also confirmed a data breach affecting sensitive customer information resulting from the MOVEit hacks.

First Merchants said that hackers accessed data including customers’ addresses, Social Security numbers, online banking usernames, payee information and financial account information. “Online or mobile banking passwords were not captured or compromised and remain unaffected by this incident.” First Merchants Bank also has not yet said whether the company has the ability to determine the number of affected customers. A spokesperson did not return a request for comment.

Clop has not yet listed First Merchants Bank on its dark web leak site.

Reference: More organizations confirm MOVEit-related breaches as hackers claim to publish stolen data
Victim: First Merchants Bank

First Merchants Bank, an Indiana-based banking giant with more than $18 billion in assets

Incident: Seiko Suffers Ransomware Attack

Seiko Group Corporation confirmed it suffered a data breach July 28 and is apparently a victim of a ransomware attack, according to a Monday post on an attack group’s website.
Seiko, a watchmaker with 12,000 employees and an annual revenue over $1.5 billion, said in an advisory: “It appears that some as-yet-unidentified party or parties gained unauthorized access to at least one of our servers. Subsequently, on August 2nd, we commissioned a team of external cybersecurity experts to investigate and assess the situation.
“As a result, we are now reasonably certain that there was a breach and that some information stored by our company and/or our group companies may have been compromised.

Reference: Japanese watchmaker Seiko breached by BlackCat ransomware gang
Reference: Seiko Hit In Data Breach
Victim: Seiko Group Corporation

A watchmaking giant with 12,000 employees and an annual revenue over $1.5 billion.

Incident: Energy One Suffers Attack

Wholesale energy software provider Energy One suffered a cyberattack last week that hit systems in Australia and the United Kingdom.
The 15-year-old business provides software and services to Australia, New Zealand and other Pacific islands and European companies.
Once Energy One detected the attack August 18 and it took “immediate steps to limit the impact of the incident, engaged cyber security specialists, CyberCX, and alerted the Australian Cyber Security Centre and certain UK authorities,” the company said in a statement to the Australian Securities Exchange dated Monday.

Reference: Energy One Hit In Cyber Attack
Victim: Energy One

The 15-year-old business provides software and services to Australia, New Zealand and other Pacific islands and European companies.

Incident: Cleaning Products Maker, Clorox, Suffers Attack

Clorox Company took down systems effecting business operations after a cyberattack hit the Oakland, California-based cleaning products manufacturer, company officials said.

The company said in a 10-Q report in February 2024 expenses to handle the hack were $49 million for the six-month period. They were $25 million for the first three months.

“The Clorox Company has identified unauthorized activity on some of its Information Technology (IT) systems,” The company said in an 8-K filing with the Security and Exchange Commission (SEC). “After becoming aware of the activity, the company began taking steps to stop and remediate the activity, including taking certain systems offline. “The Company is working diligently to respond to and address this issue, and is also coordinating with law enforcement. To the extent possible, and in line with its business continuity plans, Clorox has implemented workarounds for certain offline operations in order to continue servicing its customers."

In September, the company said some products were in short supply. Production remained an issue as operations have been slow to get back up to full speed. The company said it had been fulfilling and processing orders manually. The company said it expects to return to normal operations next week. “Clorox is still evaluating the extent of the financial and business impact. Due to the order processing delays and elevated level of product outages, the Company now believes the impact will be material on Q1 financial results."

In regulatory filings with the SEC, the company said the cyberattack “damaged portions of the Company’s IT infrastructure, which caused widescale disruption of Clorox’s operations.”

Reference: Clorox Hit In Cyberattack
Victim: Clorox Company

Clorox makes and sells consumer and professional cleaning products, including Brita, Glad, Green Works Cleaning Products, Kingsford, Liquid-Plumr, Pine-Sol, and Tilex. The company has locations in 25 countries and has a market presence in over 100 countries.

Incident: Tempur Sealy International Suffers Cyberattack

Mattress and bedding products maker, Tempur Sealy International, Inc. suffered a “temporary interruption of the company’s operations” is in the process of recovering from a cyberattack last week. “On July 23, 2023, Tempur Sealy International, Inc. identified a cybersecurity event involving certain of the Company’s information technology systems.

Upon discovery of the event, the Company activated its incident response and business continuity plans designed to contain the incident. “This included proactively shutting down certain of the Company’s IT systems, resulting in the temporary interruption of the Company’s operations. Legal counsel, a cybersecurity forensic firm and other incident response professionals have been engaged to advise on the matter. The Company has also notified law enforcement authorities,” the company said in an 8-K notice to the Security and Exchange Commission (SEC).

AlphV/Black Cat ransomware group took credit for the attack on the company, claiming to have sensitive documents from senior officials.

Reference: Mattress Maker Hit In Cyberattack
Victim: Tempur Sealy International

Mattress and bedding products maker.

Reference: Japanese Port Reopens After Russian Ransomware Group Attack
Incident: BlackCat Ransomware Attack at Lehigh Valley Health Network

Lehigh Valley Health Network has confirmed that its Jan. 8 cyberattack was conducted by Russian ransomware gang BlackCat. On June 29, 2023 the health system notified patients that the breach from BlackCat occurred on Jan. 8, with the health system detecting the ransomware on its IT system on Feb. 6.

BlackCat was able to obtain some patients' protected health information including email addresses, banking information, medical information, Social Security numbers and more.

In addition the cybercriminals may have stolen the sensitive photographs of as many as 2,760 patients, officials said Thursday. Some of those images were posted on the dark web. According to the court filing the health care provider suggested a class-action lawsuit over the data breach. That would likely involve more than 100 people and could cost about $55 million.

LVHN also revealed that the hackers responsible for the breach demanded a ransom of over $5 million in February, which officials refused to pay.

Victim: Lehigh Valley Health Network

Lehigh Valley Health Network, PA, USA

Reference: Lehigh Valley Health Network confirms it was attacked by ransomware gang BlackCat
Reference: Cybercriminals stole sensitive photos of nearly 3K patients in LVHN data breach: Officials
Incident: 300 KFC, Pizzahut, Taco Bell restaurants Shut Down after Ransomware Attack on Parent Company

KFC, Pizza Hut, and Taco Bell parent company Yum! Brands confirmed a ransomware attack that leaked company data and shut down restaurants in the United Kingdom.

Yum! quickly mitigated the ransomware attack, and all outlets resumed operations within 24 hours.
“With the ransomware being contained to a third of Yum! Brands UK outlets and the downtime being limited to 1 day – Yum! Brands have done relatively well recovering,” said Morten Gammelgard EVP, EMEA at BullWall. “The average amount of downtime for organizations when hit by Ransomware is approximately 24 days.”

Breach notification letters were sent to affected people starting Thursday 6 April. Yum! Brands revealed that it has "now found out the attackers stole some individuals' personal information, including names, driver's license numbers, and other ID card numbers."

Reference: KFC, Pizza Hut owner discloses data breach after ransomware attack
Reference: Yum! Brands January 18, 2023 Statement
Victim: Yum! (KFC, Pizza Hut, and Taco Bell parent company)

Yum, KFC, Pizza Hut, and Taco Bell parent company, operates 53,000 restaurants in 155 territories, with 1,000 restaurants in the United Kingdom. The company owns assets worth over $5 billion and records about $1.3 billion in annual profits.

Reference: KFC, Pizza Hut, and Taco Bell Ransomware Attack Shuts Down 300 Restaurants in the UK
Incident: 14 Ontario Gateway Casinos Close for Two Weeks after Ransomware Attack

Canada’s Gateway Casinos & Entertainment Ltd. confirmed on Friday ,22 April that all 14 of the company’s casinos in the province of Ontario were shut down after being hit with a ransomware attack on 16 April.

On Saturday April 29, Gateway Casinos confirmed it was starting to re-open its Ontario operations. 15 other casinos in different provinces were not affected and remained open.

Victim: Canada’s Gateway Casinos & Entertainment Ltd

Canada’s Gateway Casinos & Entertainment Ltd

Reference: Cyberattack – 14 Canadian Casinos Shut Down Since April 16
Reference: Ontario casino ransomware attack ‘as bad as it gets,’ expert says
Reference: Gateway Casinos ransomware attack highlights need for better cybersecurity, says analyst
Incident: Secret Network of US Marshall Infiltrated by Hackers

On February 17 the U.S. Marshals Service "discovered a ransomware and data exfiltration event affecting a stand-alone USMS system." The unidentified hackers infiltrated a network used by the Technical Operations Group (TOG) to track fugitives, reports the Washington Post. The precise activities of the service are kept secret.

US Marshals Service spokesperson Drew Wade said no one in the witness protection program is in danger because of the breach. Nevertheless, the official said, the incident is significant, affecting law enforcement sensitive information pertaining to the subjects of Marshals Service investigations.

The agency developed a workaround enabling the unit to continue operations and efforts to track down fugitives. “Most critical tools” related to the affected computer network “were restored within 30 days of the breach discovery” in February, Wade told CNN, declining to explain what those critical tools were. The network remains compromised nearly 3 months after being hit.

The Technical Operations Group (TOG) network provides surveillance capabilities to track fugitives. The group operates 29 field offices in the US and Mexico and uses high-tech methods to track fugitives.

Victim: United States Marshals Service

The United States Marshals Service is a federal law enforcement agency in the United States. The USMS is a bureau within the U.S. Department of Justice.

Reference: US Marshals Service still recovering from February ransomware attack affecting system used by fugitive hunters
Reference: Computer system used to hunt fugitives is still down 10 weeks after attacks
Incident: Emergency Shut Down at Medical Clinic in TN after Cyberattack

A cyberattack on Murfreesboro Medical Clinic & SurgiCenter (MMC) in Tennessee shut down operations for around two weeks.

On April 22, 2023 the network was rapidly shut down to contain the attack. MMC said the action taken limited the damage caused. MMC has been working with cybersecurity experts and law enforcement to investigate the incident and determine the extent of the attack. While those processes were completed, the decision was taken to close all operations.

MMC planned to reopen on a limited basis on May 3, 2023, then restore full operations shortly thereafter. However, the recovery process took longer than planned.

Victim: Murfreesboro Medical Clinic & SurgiCenter (MMC)

Murfreesboro Medical Clinic & SurgiCenter (MMC) in Tennessee

Reference: Ransomware Attack Results in 2 Week Shutdown of Operations at TN Medical Clinic
Incident: Recycling, Mining Provider, Tomra, Hit in ‘Extensive’ Attack

Norwegian recycling and mining corporation Tomra suffered an “extensive cyberattack” Sunday which affected some of its data systems, company officials said.
“Tomra has been targeted by an extensive cyberattack directly affecting some of the company’s data systems,” the company said in a statement. “Relevant authorities have been informed, and all available internal and external resources have been mobilized to contain and neutralize the incident.
“The attack was discovered in the morning of July 16th (CET), and immediate actions were taken to stop it and mitigate consequences. We immediately disconnected some systems to contain the attack, and Tomra is currently assessing whether customers and employees might experience reduced stability in our services. Our primary focus now is to get all systems up and running again as fast as possible."

Reference: Norwegian Giant Tomra Suffers “Extensive” Attack
Reference: Recycling, Mining Provider Suffers ‘Extensive’ Attack
Victim: Tomra

Tomra builds automated tools for a range of industries but is makes machines that collect metal, plastic, and glass beverage packages for recycling. The company is also in the waste and metal recycling, mining and food production sectors.

Incident: Cosmetic’s Giant Estée Lauder Suffers Breach

Cosmetics giant Estée Lauder admitted Tuesday a hacker stole some data from its systems, with the cyber incident causing disruption in its business operations.
The cosmetics maker is continuing to work on restoring the affected systems and implemented measures to secure its operations, including taking down some of its systems to mitigate the incident, the company said in a statement.
As a part of the incident two ransomware actors, ALPHV/BlackCat and Clop, listed Estée Lauder on their data leak sites as a victim of separate attacks. In a message to the company, the BlackCat gang said they were still present on the network, according to a published report.
In a Security Exchange Commission (SEC) filing Tuesday, Estée Lauder confirmed one of the attacks saying the threat actor gained access to some of its systems and may have stolen data.
Further information on the attack was not immediately available. But the company did say it took down some systems to prevent attackers from expanding on the network.

Reference: Estée Lauder beauty giant breached by two ransomware gangs
Reference: Estée Lauder Hit In Data Breach
Victim: Estee Lauder

Maker of skin care and cosmetics.

Reference: Ventia Systems Affected By Cyber Incident
Incident: 225K Customers Without Power in Ukraine Power Grid Hack

On the evening of December 23, 2015, the cursor on the grid operator's computer screen started to move on its own. Hackers had struck the power distributor company Prykarpattyaoblenergo in Ukraine, disabling one circuit breaker after another. It was one of a kind cyberattack on a power grid executed successfully. Soon after, half of the population of Ukraine's Ivano-Frankivsk region were in the dark without power for up to six hours. While the power was restored in a few hours, it took months for all the control centers to become fully operational again.

The hack on Ukraine's power grid was a first-of-its-kind attack that sets an ominous precedent for the security of power grids everywhere.

Incident: Hacktivists Take Down Multiple Japanese Government Websites

A pro-Russia hacker group has claimed to be involved in attacks on Japanese government and company websites.

The DDoS attack on the e-Gov website shut down the site for a few hours on Sept. 6. It then became inaccessible again around noon on Sept. 7 until early morning, Sept. 9. The e-Gov website allows users to request disclosure of administrative documents and provides information on laws and regulations. The site receives about 7.8 million hits a day.

In addition, between Sept. 6 and 9, the attacks made 23 government websites temporarily inaccessible. These sites belonged to the Digital Agency, the Internal Affairs and Communications Ministry, the Education, Culture, Sports, Science and Technology Ministry and the Imperial Household Agency. Some sites of credit card business JCB Co. were inaccessible, while websites of social media company mixi, Inc. were also hard to access.

On September 6, 2022, the website of the Nagoya Port Authority was unreachable for about 40 minutes.

Victim: Japanese Government Departments

Japanese Government Ministries

Threat Actor: Killnet

Killnet is a hacktivist organization that uses cyber-attacks to support a political cause. DDoS attacks are a method hacktivists tend to use because they can easily see the damage of bringing a website down.

Killnet is a pro-Russian group, from which activities have been observed since early 2022. In May '22 it declared a “cyber war” on 10 nations, including the United States, United Kingdom, Germany and Italy.

Reference: Pro-Russia hackers claim to have temporarily brought down Japanese govt websites
Incident: Container Processing Halted at The Port of Nagoya

The Port of Nagoya, the largest and busiest port in Japan, has been targeted in a ransomware attack. The attack occurred around 6:30AM on July 4. A notice was issued reporting a malfunction in the “Nagoya Port Unified Terminal System” (NUTS), the central system controlling all container terminals in the port.

The attack held up shipments of Toyota auto parts containers for two days, but the port reopened Thursday morning.
All container loading and unloading operations at the terminals using trailers were canceled, causing massive financial losses to the port and severe disruption to the circulation of goods to and from Japan. LockBit 3.0 was confirmed as the attacker.

It took 3 days for the port to fully resume. A nearby Toyota auto parts packaging plant that exports through the port had to shutdown on Friday.

Victim: Nagoya Port Authority

The Nagoya port accounts for roughly 10% of Japan's total trade volume. It operates 21 piers and 290 berths. It handles over two million containers and cargo tonnage of 165 million every year. The port is also used by the Toyota Motor Corporation, one of the world’s largest automakers, to export most of its cars.

Reference: Japan’s largest port stops operations after ransomware attack
Incident: Hackers take control of a water treatment system at a hotel in Israel


GhostSec’s claimed breach of 55 Berghof PLCs in Israel. This weekend, on September 10, 2022, the hacktivist group published another announcement alleging that it successfully breached another controller in Israel.The affected controller is an Aegis II controller manufactured by ProMinent.

According to images that the GhostSec published, the group appeared to have taken control of a water system’s pH and chlorine levels. In the published message, the hacktivists said they “understand the damages that can be done …” and that the “Ph pumps” are an exception for their anti-Israeli cyber campaigns.

Incident: Russian Natural Gas Network System Attacked by pro-Ukrainian Hacker Group

A SCADA attack targeted the natural gas system of Khanty-Mansiysk city. The attack destroyed the city's natural gas facility, knocked out its power plant and caused a blackout at its airport, reports International Business Times. As the world's second biggest oil producing region (before western sanctions hit Russian oil) Khanty Mansi was the center of the old Soviet oil industry. The SCADA system of Khanty-Mansiysk city's natural gas network along with its backup system at the airport was completely destroyed in the attack.

Reportedly the pro-Ukrainian group: Team OneFist is behind the attack. The group stressed they observe the rules of war and had taken steps to avoid potential damage to hospitals and civilians. And said that the latest hack was launched by Team OneFist's new Ukrainian team members and Voltage as a "joint training-mission" to give the new members "a feel of what a SCADA attack is like."

Incident: Satellite Communications System Serving the Russian military Knocked Offline

A group of previously unknown hackers has claimed responsibility for a cyberattack on the Russian satellite communications provider Dozor-Teleport, which is used by energy companies and the country's defense and security services.

Doug Madory, the head of internet analysis at the network monitoring company Kentik confirmed to Record Future News that Dozor-Teleport has been disconnected from the internet and is currently unreachable. Dozor’s parent company, Amtel Svyaz, also suffered a significant outage late on Wednesday, according to Madory.

The hackers claim that they damaged some of the satellite terminals and leaked and destroyed confidential information stored on the company's servers. The group posted 700 files, including documents and images, to a leak site, as well as some to their newly created Telegram channel.

The group claims to be affiliated with the notorious Wagner Grouphackers. There was no mention of the hack on the official Telegram channel of the Wagner Group and several experts expressed skepticism that the group was involved.

Dozor did not respond to inquiries about the attack.

Reference: Hackers claim to take down Russian satellite communications provider
Reference: Hackers force Russian military satellite operator offline
Victim: Dozor-Teleport

Russian satellite communications operator.

Incident: AON MOVEit Hack affects Dublin Airport Staff Data

Some Dublin airport staff's financial information has been compromised by a cyber-attack on provider company Aon (AON.N) that also affected various other firms, the Dublin Airport Authority (DAA) said on Sunday.

Britain's Sunday Times reported that the attack on file-transfer software tool MOVEit, used by Aon, affected nearly 2,000 Dublin airport staff, as well other agencies and companies in the US and UK.

The cl0p ransomware gang has claimed to be behind the hacking of MOVEit.

Victim: AON

Aon is a global provider of risk management, insurance and reinsurance brokerage, human resources solutions, and outsourcing services.

Reference: Dublin airport staff’s salary data breached
Reference: Dublin airport staff’s pay and benefits compromised in cyberattack
Reference: Dallas ransomware attack prompts new threat detection system
Reference: AIIMS ransomware attack led to new SOP on cyber breaches: Ex-cybersecurity chief Pant
Incident: Confusion About $70M Ransom Demand: Kinmax or TSMC ?

"In the morning of June 29, 2023, the Company discovered that our internal specific testing environment was attacked, and some information was leaked," reads the Kinmax statement.
"The leaked content mainly consisted of system installation preparation that the Company provided to our customers as default configurations."

The Lockbit ransomware group claimed to have hacked chipmaker giant TSMC. TSMC stated its supplier Kinmax was attacked. Kinmax is not the corporate giant that TSMC is, so LockBit's demands for a $70 million ransom payment will likely be ignored.

While there appears to be a mixup as to who was compromised in this attack, the $70 million ransom demand is one of the largest seen to date.

Victim: Kinmax Technology

a Taiwan-based corporate group and manufacturer of RAM modules and memory cards. The principal company of the group is Kingmax Semiconductor Inc.

Reference: Lockbit Demands $70M of TSMC Chipmaking Giant
Reference: Kinmax Technology statement
Incident: Lockbit Demands $70M of TSMC Chipmaking Giant

Chipmaking giant TSMC denied being hacked after the LockBit ransomware gang demanded $70 million not to release stolen data.

On Wednesday, a threat actor known as Bassterlord, who is affiliated with LockBit, began to live tweet what appeared to be a ransomware attack on TSMC, sharing screenshots with information related to the company. While this Twitter thread has since been deleted, the LockBit ransomware gang created a new entry for TSMC yesterday on their data leak site, demanding $70 million or they would leak stolen data, including credentials for their systems.

A TSMC spokesperson told BleepingComputer that they were not breached, but rather the systems of one of their IT hardware suppliers, Kinmax Technology, were hacked. "Upon review, this incident has not affected TSMC's business operations, nor did it compromise any TSMC's customer information."

Apart from validating that its systems had not been impacted in any way, TSMC states that it also stopped working with the breached supplier until the situation cleared up.

Reference: Us, hacked by LockBit? No, says TSMC, that would be our IT supplier
Victim: TSMC (Taiwan Semiconductor Manufacturing Company)

TSMC is one of the world's largest semiconductor manufacturers, with its products used in a wide variety of devices, including smartphones, high performance computing, IoT devices, automotive, and digital consumer electronics.

Reference: TSMC denies LockBit hack as ransomware gang demands $70 million

Incident: Hackers Stole Source Code from Taiwanese PC Parts Maker MSI

Taiwanese PC parts maker MSI (Micro-Star International) was listed on the extortion portal of a new ransomware gang known as "Money Message". The threat actors claimed to have stolen 1.5TB of data from MSI's systems. The stolen data includes source code and databases. The group demanded a ransom payment of $4,000,000.

Victim: MSI (Micro-Star International)

MSI is a global hardware giant in Taiwan with an annual revenue that surpasses $6.5 billion.

MSI makes motherboards, graphics cards, desktops, laptops, servers, industrial systems, PC peripherals, and infotainment products,

Reference: Money Message ransomware gang claims MSI breach, demands $4 million
Incident: Pharmedica Discloses March Databreach Exposed Medical Data of 5.8M

Pharmacy services provider PharMerica has disclosed a massive data breach. According to a data breach notification to authorities, hackers breached the system on March 12th, 2023, stealing the full names, addresses, dates of birth, social security numbers (SSNs), medications, and health insurance information of 5,815,591 people.

The Money Message ransomware gang claimed the attack on March 28th, 2023, when they began publishing stolen data.

Threat Actor: Money Message ransomware gang

Money Message is a new ransomware operation that launched around March 2023, gaining media attention for its breach against Taiwanese PC parts maker MSI (Micro-Star International).

Victim: PharMerica

PharMerica is a pharmacy services provider in 50 U.S. states, operating 180 local and 70,000 backup pharmacies, and serving 3,100 medical facilities nationwide.

Reference: Ransomware gang steals data of 5.8 million PharMerica patients
Incident: Significant Revenue Loss at Indian Pharmaceutical Giant after Cyberattack

Pharmaceutical company Granules India has reported a significant loss of revenue and profitability after a cyber security attack late last month. The attack led to major disruptions in the company's IT systems, as well as delays in meeting regulatory requirements and quality standards.
The company reported the incident on May 25. News outlets reported on June 29 that the company said that it has managed to restore production near to normalcy.

Russian ransomware group LockBit has taken responsibility for the cyberattack on Granules India.

Reference: Granules India ransomware attack claimed by LockBit
Victim: Granules India

Indian pharmaceutical manufacturing company based in Hyderabad, India.

Granules manufactures several off-patent drugs, including Paracetamol, Ibuprofen, Metformin and Guaifenesin, on a large scale for customers in the regulated and rest of the world markets.

Reference: Granules India flags significant loss of revenue as it continues to recover from cyber attack
Reference: Paracetamol maker Granules India flags significant operations hit from cyber attack
Reference: Burton Snowboards discloses data breach after February attack
Editorial: Similar Attacks? Just Look at the Facts
Incident: Serious IT Breach at Wisag, German Aviation Services

Wisag, a German aviation services provider suffered a serious IT breach on Jan. 27. Operational business continued, but the processes were severely disrupted for about a week. Wages for 55,000 employees were paid late. Wisag board member Michael Wisser publicly insisted at the time that he would not allow himself to be blackmailed by criminals.

It’s not clear if it’s linked to the Mabanaft breach.

Reference: Official information from the WISAG group of companies on the cyber attack
Reference: Oiltanking and Wisag: Hacker attacks on German companies
Incident: Wisag Group Hacked Again a Year Later

Almost exactly a year after the first attack, the service group Wisag fell victim to hackers again. On Tuesday morning, the IT department found "irregularities" on the servers, said a spokeswoman for the Frankfurt-based company. As a result, all systems and applications were immediately taken off the network.

"At the current time, it is not apparent that customer or internal data has leaked," it continues. "We are optimistic that we can safely put all systems back into operation as soon as possible."

Reference: Another hacker attack on the Wisag group
Victim: Wisag Service Group

Family owned company active in the business areas of facility management, industrial services and airport services. The group recently reported annual sales of 1.2 billion euros.

Incident: Ransomware Attack Halts Operations at Ziegler Fire Engine Manufacturer

On February 9th, the company noticed a cyber attack and shut down all systems.

On March 13, company spokes person Matthias Mühlbacher said “It was almost possible to restore the current situation at that time. Normal everyday work is possible again in large parts of the plants. "All software and hardware components were checked, cleaned or replaced and reinstalled with the help of forensic experts from the IT industry." Some effects, he emphasizes, would accompany the company for a while.

UPDATE, 23 April: Since the ransom was apparently not paid, ALPHV publishes documents that are said to belong to the company.

Reference: Ziegler Data Breach on April 24, 2023
Victim: Ziegler

German manufacturer of fire-fighting vehicles.

Reference: After cyber attack in February: All systems restored
Reference: Availabilty partially restored
Reference: Cyber ​​attack on pump manufacturers: unknown persons blackmail company in MK
Incident: Cyberattack Affects All Locations of German VDM Steel

Unknown perpetrators carried out a cyberattack on VDM Metals. All locations are affected, including those in Werdohl (administration, wire and strip production), Altena (plate and rod production), Unna (melting plant, forge and rod finishing shop) and Siegen (plate rolling mill). Significant parts of the company's IT infrastructure are affected. Production came to a standstill and parts of the workforce sent home.

Two weeks later production is gradually restarting. The problem seemed to lie in the logistics data flow. VDM communicates most parts of the business will be up and running again by next week.

Several hundred computers have been exchanged in the company. The plant uses server resources from the Spanish parent company Acerinox, as can be seen from the new e-mail addresses of the employees.

Victim: VDM Metals

VDM Metals, part of Spanish Acerinox Group since 2020, employs around 2000 people worldwide. Based in Werdohl, VDM is the city's largest employer with around 700 employees.

VDM develops high-performance materials which are used, among other things, in car catalytic converters, in high-temperature fuel cells, in energy and environmental technology, in aviation and in the oil and gas industry.

Reference: Technical failures at VDM Metals
Reference: After a hacker attack: VDM fights back
Reference: Breathing easy after hacker attack VDM assures workforce at least partial payment
Incident: Steico Group Operations Disrupted after Cyberattack

The building materials manufacturer Steico has become the target of a cyber attack. The incident impacted both manufacturing operations and administration, the company's website said. The full extent of the attack is currently unknown. It is also unclear whether it was an extortion attack with ransomware.

Victim: Steico Group

Steico SE manufactures energy saving insulating materials for building industry.

Reference: Cyber ​​attack on German building materials producer
Reference: STEICO Group affected by cyber attack
Incident: Cyberattack at SAF-Holland Causes Three Month Production Backlog

The commercial vehicle supplier SAF-Holland was the target of a cyber attack. Production is interrupted at certain locations and could last seven to fourteen days. Management is currently assuming that it will be able to catch up on the resulting production backlog over the course of the next three months.

The share, which is listed on the SDax, slipped briefly into the red after the news became known, but was recently up a good one percent again.

Reference: SAF-HOLLAND SE affected by cyberattack
Victim: SAF-HOLLAND Group

The SAF-HOLLAND Group is one of the leading international manufacturers of chassis-related assemblies and components for trailers, trucks and buses.

Reference: Cyber ​​attack on SAF Holland
Incident: Public Transportation “Deutschlandticket” Launch in Germany Disrupted by Ransomware Attack

Hannover transport company Üstra suffered a cyberattack with significant operational fallout. The display boards at stations and railways as well as email and telephone traffic in customer service only partially worked throughout the weekend. Since then, Üstra employees have probably been trying feverishly to get the computer systems under control before the planned start of sales of the "Deutschlandticket" on Monday. That didn't work.

The hackers penetrated the IT systems with a contaminated email attachment that encrypts files. Üstra did not want to say anything about the ransom demand for investigative reasons.

Reference: Hanover Update: Hackers attack Üstra
Reference: Cyber ​​attack on Hannover Transportation Company
Reference: Hackers stop Germany ticket in Hanover
Victim: Üstra

Üstra : local transport company in Hanover Germany

Incident: German Steelmaker Hacked

The IT network of Badische Stahlwerke (BSW) is affected by unauthorized network access. BSW identified the hacker attack on Thursday. The company reacted immediately and shut down all relevant systems in an isolated and controlled manner.

This also affected parts of the production. Employees reportedly furloughed. Parts of the production facilities were started up again on Friday. Investigation is ongoing.

Victim: Badische Stahlwerke (BSW)

Badische Stahlwerke GmbH is one of the world's leading electric-steel plants and supplies all of Europe with high-quality reinforcing steel.

Reference: Hacker attack on Baden steelworks
Reference: Hacker attack on Badische Stahlwerke in Kehl
Reference: Cyber ​​attack on Baden steelworks
Incident: Cyberattack Causes Widespread Operational Disruption at Rheinische Post Mediagruppe

The "Rheinische Post Mediengruppe" has to shut down some systems because of a cyberattack. The operation of the news portals is only possible to a limited extent. Emergency editions of the affected newspapers were published on Monday. Unfortunately, the printed and digital editions cannot be offered in the usual structure, stated the "Rheinische Post".

Individual technical systems had to be switched off and the connection to the Internet had to be cut, according to the "Rheinische Post". The "Aachener Zeitung", which belongs to the media group, addressed the readers on the first page and wrote of an emergency edition "that does not fully correspond to what you are used to from us". The Bonn "General-Anzeiger" reacted with an edition that appeared "not in the usual scope and in the usual timeliness".

Victim: Rheinische Post Mediengruppe GmbH

Rheinische Post Mediengruppe GmbH operates as a media company. The company offers call center, printing, purchasing, IT, logistics, market research, and publishing services. Rheinische Post Mediengruppe serves customers worldwide.

Reference: Newspapers launch emergency editions after cyber attack
Reference: Hacker attack paralyzes parts of Rheinische Post Mediengruppe
Reference: Cyber ​​attack on media group – emergency edition newspapers
Incident: German Autoparts Specialist, the Bilstein Group, Confirms Cyberattack

The Bilstein Group was apparently recently hit by a ransomware attack. The perpetrators published company data on the dark web. The auto parts specialist confirmed to CSO that a recent cyber attack occurred. "However, this was quickly discovered by our systems and IT specialists, so that the effects were marginal," explained a spokesman. The company declined to release any further information about the case. It is not known if there was a ransom note.

The BianLian ransomware gang has put the Bilstein Group on its victim list. In late April, 60GB of internal company data surfaced on the dark web, this includes includes personnel, accounting and financial data.

Victim: Bilstein Group

Automotive supplier and manufacturer. The Bilstein group is a worldwide leading specialist in the Independent Aftermarket based in Germany

Reference: German auto parts specialist Bilstein hacked
Incident: Emergency Operational Shutdown at Maxim, German Cosmetics Manufacturer

The cosmetics manufacturer Maxim fell victim to a ransomware attack, reports CSO Online Germany. The IT systems and production are affected. According to media reports, hackers penetrated the IT systems of the cosmetics manufacturer Maxim in early May. The cyber attack was initially discovered due to a "disruption to the network structure". The perpetrators encrypted parts of the IT systems and demanded a ransom. So far it is unclear whether company data was stolen.

As soon as the attack was discovered, all IT systems were shut down immediately, a spokeswoman told the Kölner Stadt-Anzeiger . Because of the immediate shutdown, the ransom demand could not be seen, so it is not clear how much they asked for decrypting the hacked systems.

On May 10, company spokeswoman Janine Kops states that all IT systems and devices are currently being checked for malicious software. "The work is progressing rapidly and it is becoming apparent that the IT systems that are currently still deactivated will go into secure and monitored emergency operation this week," says Kops. The cyber attack at the end of April led to an emergency shutdown of the systems; since then, production and delivery at Maxim have been paralyzed.

A professional hacker group claimed responsibility for the attack on Maxim, but the spokeswoman declined to give any further details for security reasons.

Reference: Pulheim-based company wants to protect itself against a new hacker attack
Victim: Maxim Cosmetics

Maxim is a cosmetics manufacturer based in Pullheim, Germany

Reference: Ransomware attack on cosmetics manufacturer Maxim
Incident: Operations Paralyzed Across All Locations of German Automotive Supplier Fritzmeier Gruppe.

Hackers paralyzed the Internet, telephone and some machines at the large vehicle supplier Fritzmeier. The attack was detected early Tuesday morning, after which all relevant systems were immediately shut down. "The attack affects all systems across all locations, so that we are currently severely restricted in our ability to work and availability," said the company spokesman Florian Linnerbauer .

Four weeks after the hacker attack, operations are up and running again. However, it is still unclear who is behind the attack. "Currently, all locations are back to normal operation," said Linnerbauer. According to Linnerbauer, the ability to deliver was largely guaranteed during the cyber attack. Thanks to a "comprehensive backup strategy important data could be quickly made available again". After limiting the damage, the focus for the group is on repairing the damage and taking preventive measures.

The actual financial damage for the Fritzmeier Group is currently being evaluated internally. "We cannot and will not provide any information on this for reasons of investigative tactics."

(e Bike supplier ,M1-Sporttechnik, part of the Fritzmeier Group was also affected. )

Reference: Cyber ​​attack on the Fritzmeier company: Internet, telephone and machines paralyzed
Reference: Hacker attack on Fritzmeier Group: No trace of the blackmailers yet
Victim: Fritzmeier Group

Fritzmeier Group is a manufacturer of complete cabins, plastic assemblies, metalworking and environmental technology, was also hit. The Fritzmeier Group has several German locations and employs around 2.200 people worldwide.

Incident: Schneider Hit In MOVEit Transfer Zero Day

Schneider Electric suffered cyberattack from the Clop ransomware group

“On May 30th, 2023, Schneider Electric became aware of vulnerabilities impacting Progress MOVEit Transfer software.” the company said in a statement. “Subsequently, on June 26th, 2023, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyberattack relative to MOVEit vulnerabilities,” the company said. “Our cybersecurity team is currently investigating this claim as well.”

No further information was released at this time.

Victim: Schneider Electric SE

Schneider Electric SE is a European multinational company that specializes in digital automation and energy management. It addresses homes, buildings, data centers, infrastructure and industries, by combining energy technologies, real-time automation, software, and services.

In fiscal year 2022, the company posted revenues of €34.2 billion.

Reference: Schneider Hit In MOVEit Transfer Zero Day
Reference: Siemens Energy Confirms Ransomware Attack
Incident: Proctor & Gamble Confirms Data Theft

Consumer goods giant Procter & Gamble confirmed a data breach affected an undisclosed number of employees. Its GoAnywhere MFT secure file-sharing platform was compromised in early February.

The company didn't say who was behind the security breach. This reportedly is linked to the Clop ransomware gang's attacks targeting Fortra GoAnywhere secure storage servers worldwide. The Clop ransomware gang exploited the CVE-2023-0669 GoAnywhere vulnerability to steal data of more than 130 organizations.

Victim: Proctor & Gamble

P&G is one of the largest consumer goods corporations in the world. About two dozen of P&G’s brands are billion-dollar sellers, including Always, Braun, Crest, Fusion, Gillette, Head & Shoulders, Mach3, Olay, Oral-B, and Pantene.

Reference: P&G Cyber Attack: CL0P Ransomware Group Claims to Hit the Consumer Goods Corporation
Reference: Procter & Gamble confirms data theft via GoAnywhere zero-day
Incident: Lumen Hit By Separate Ransomware, Malware Attacks

Multibillion-dollar telecommunications firm Lumen Technologies told regulators Monday that it had discovered two cybersecurity incidents, including a ransomware attack that crippled some of its systems, that degraded services for some of its enterprise customers.

Lumen said that it caught the ransomware attack when a “malicious intruder” inserted malware “into a limited number of the Company’s servers that support a segmented hosting service.” The company did not immediately respond to questions about the type of ransomware involved, the scope of the attack, or whether they have attributed it to a specific group. The company said that the incident “is currently degrading the operations of a small number of the Company’s enterprise customers.”

Additionally, the company said that it discovered a separate incident involving an intruder accessing and installing malware on “internal information technology systems,” allowing the cybercriminal to steal “a relatively limited amount of data.”

Victim: Lumen Technologies

Headquartered in Monroe, Louisiana, Lumen offers an enterprise technology platform that combines networking, cloud, security, and collaboration services.

Reference: Telecom giant Lumen says it discovered two separate cyber intrusions
Incident: Swiss, German-Language Newspaper NZZ Shut Down Production

The “Neue Zürcher Zeitung” continues to struggle with problems two weeks after a cyberattack on its computers. The publisher shut down central systems for newspaper production and had to pre-produce the Saturday edition on Thursday of last week. The company announced on Saturday that this “exceptional situation” was also associated with a reduction in scope.

Due to the cyberattack, some systems and services are still not available. NZZ's IT team is working with external specialists on corrective measures, it said. Newspapers from CH-Media-Verlag, which obtains IT services from NZZ, also appeared on a reduced basis over the weekend.

A ransomware attack on the infrastructure of NZZ's parent, NZZ Mediengruppe in Zürich, became known two weeks ago. 500GB data stolen from this was later published on the dark web.

Additional impact at three media companies:
On May 3, CH Media confirmed that data had been published, saying, “initial analyses show that the data is from our delivery organisations”.
The Blick Group is affected as a company that belongs to CH Media is responsible for the postal delivery of the Blick newspapers, and is directly affected by the cyber attack.
Customer data from Tamedia newspapers is also said to be affected

Reference: Hacker group publishes stolen Swiss media data
Victim: NZZ Mediengruppe in Zürich

The NZZ media group is a Swiss media company and one of the largest private media companies in Switzerland. The group is divided into the business areas NZZ Medien and Business Medien (events and information services). The main purpose of the group is the publication of the Neue Zürcher Zeitung and other media.

Reference: NZZ has to shut down the newspaper production system after a cyber attack
Incident: Cyberattacks on North German Shipyards

The Flensburger Schiffbau-Gesellschaft (FSG) and the Rendsburg shipyard Nobiskrug have fallen victim to a cyberattack. The external attack on the shipyard's IT was noticed on March 3, a spokesman for FSG-Nobiskrug Holding said on Friday. "All IT systems were therefore sealed off by our experts and the responsible authorities informed."

BianLian ransomware group claims responsibility as it added Flensburger Schiffbau-Gesellschaft and Nobiskrug to their victimlist and claims to have access to 3TB of company data.

FSG-Nobiskrug Holding did not comment on this.

Victim: FSG-Nobiskrug Holding

Flensburger Schiffbau-Gesellschaft is a German shipbuilding company located in Flensburg. FSG acquired Nobiskrug-Werft, specialized in building innovative, custom-made luxury superyachts, in 2021.

Reference: BianLian #ransomware group added Flensburger Schiffbau-Gesellschaft and Nobiskrug Yachts GmbH, to their victim list.
Reference: Cyber ​​attack on shipyards FSG and Nobiskrug
Incident: Operations Halted at German Shipbuilder

German shipbuilder Lürssen, which makes military vessels as well as luxury yachts, reports it has been the target of a ransomware attack. The attack brought large parts of Lürssen’s shipyard operations to a standstill, according to local news outlet Buten un Binnen.

According to several German media outlets, Lürssen said it is collaborating with internal and external experts to manage the cyber incident.

Victim: Lürssen shipyard

Lürssen shipyard builds military vessels and luxury yachts. Located in Germany

Reference: German builder of yachts and military vessels hit by ransomware
Reference: German Superyacht Maker Targeted by Ransomware Cyberattack
Incident: Ransomware Attack Delays Shipyard Production at Marinette Marine Shipyard

Fincantieri Marinette Marine suffered a ransomware attack last week that delayed production across the shipyard. Large chunks of data on the shipyard’s network servers were rendered unusable by an unknown professional group.

The attack on Marinette Marine targeted servers that held data used to feed instructions to the shipyard’s computer numerical control manufacturing machines, knocking them offline for several days. CNC-enabled machines are the backbone of modern manufacturing, taking specifications developed with design software and sending instructions to devices like welders, cutters, bending machines and other computer-controlled tools.

Based on information from the Navy, it’s unclear if the attackers stole any data. The yard is currently on contract to build four combatants for the Saudis and three frigates for the U.S. Navy, with the service planning to ramp up procurement in the pursuit of buying two frigates per year. The Navy acknowledged the attack in a statement but did not provide additional details.

UPDATE: The company notified regulators in Maine that personal information of 16,769 individuals was leaked due to the ransomware attack.

Incident: Suncor Suffers Cyber Attack, Hurts Retail Operations

Canada’s leading integrated energy company, Suncor, said Sunday it suffered a cybersecurity incident that is affecting its ability to complete transactions with customers, officials said.
The company said it is taking measures and working with third-party experts to investigate and resolve the situation, and has notified appropriate authorities. At this time, the company said it was not aware of any evidence that customer, supplier or employee data suffered compromised or ended up misused as a result of this situation.
“While we work to resolve the incident, some transactions with customers and suppliers may be impacted,” the company said in a statement.
The issues began on Friday (June 23), when customers reported problems logging into the app and website for Petro-Canada, a gas station chain owned by Suncor.

Reference: Suncor Energy hit by cyber attack; Petro-Canada gas stations impacted
Reference: Suncor Energy Hit In Cyberattack
Victim: Suncor

Suncor’s operations include oil sands development, production and upgrading; offshore oil and gas; petroleum refining in Canada and the U.S.; and the company’s Petro-Canada retail and wholesale distribution networks (including Canada’s Electric Highway, a coast-to-coast network of fast-charging electric vehicle stations).

Reference: Ransomware Attack Hits Marinette Marine Shipyard, Results in Short-Term Delay of Frigate, Freedom LCS Construction
Incident: Ransomware Attack at Constellation Software; ALPHV Steals over 1TB Data

Constellation Software confirmed some of its systems were breached. "The Incident was limited to a small number of systems related to internal financial reporting and data storage". "The independent IT systems were not impacted by this Incident in any way." It had contained the attack and restored the IT infrastructure systems impacted. Business partners and individuals whose information was stolen are being contacted.

Constellation Software acquires, manages, and builds software businesses through six operating groups: Volaris, Harris, Jonas, Vela Software, Perseus Group, and Topicus.

Victim: Constellation Software

Constellation Software acquires, manages, and builds software businesses through six operating groups: Volaris, Harris, Jonas, Vela Software, Perseus Group, and Topicus.

The Canadian company has over 25,000 employees across North America, Europe, Australia, South America, and Africa, generating consolidated revenues exceeding $4 billion.

Constellation also provides services to 125,000 customers in over 100 countries and has acquired more than 500 software companies since 1995.

Reference: ALPHV gang claims ransomware attack on Constellation Software
Reference: Constellation Software hit by cyber attack, some personal information stolen
Incident: ScanSource Mitigates Business Impact after Cyberattack

ScanSource, a leading hybrid distributor connecting devices to the cloud, today announced that it was subject to a ransomware attack impacting some of its systems. Upon discovering the incident the Company immediately launched an investigation and implemented its Incident Response Plan.

ScanSource is working diligently to bring affected systems back online, while also mitigating the impact on its business. ScanSource regrets any inconvenience or delays in business this may cause customers and suppliers in North America and Brazil and appreciates their patience.

Victim: ScanSource Inc.

ScanSource Inc., a leading hybrid distributor connecting devices to the cloud

Reference: ScanSource Provides Information on Cybersecurity Incident
Incident: Enzo Biochem Breach Exposes Clinical Test Data on 2.5M People

Biotechnology company Enzo Biochem has revealed that the clinical test information of roughly 2.47 million individuals was exposed in a recent ransomware attack.

The incident resulted in certain systems being disconnected from the internet.

On April 11, Enzo Biochem’s investigation revealed that the attackers accessed and exfiltrated certain information from its systems, including names, clinical test information, and, in some cases, Social Security numbers.

Enzo Biochem expects increased regulatory scrutiny to follow and notes that the full cost and impact of the incident are still under evaluation.

Reference: Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
Victim: Enzo Biochem

Based in Farmingdale, New York, Enzo Biochem develops and provides molecular diagnostics technologies, including DNA-based tests.

Reference: Ransomware Attack on Bioscience Firm Exposes Clinical Test Data on 2.5M People
Incident: Eisai Pharma Takes Systems Offline After Ransomware Attack

Japanese pharma group Eisai Co., Ltd. says it is battling a ransomware attack that was launched on June 3. This resulted in some of its servers becoming encrypted. The attack affected servers both within and outside Japan, and resulted in some of the group’s IT functions, including logistics systems, being taken off line.

For now, it says the corporate websites and email services remain operational, and there’s no clear indication yet whether sensitive data has been leaked. "Eisai Group is working closely with external experts and law enforcement in an effort to protect its systems and to make a successful recovery."

“Any potential impact of this incident on the consolidated earnings forecast of this fiscal year is currently under careful examination,” it said.

At the time of writing, it’s not clear if the attack is linked to the other recent data hacks of Cl0p ransomware gang.

Victim: Eisai Co. Ltd.

Eisai CO. Ltd is a Japanese pharmaceutical company headquartered in Tokyo, Japan. It has some 10,000 employees, among them about 1,500 in research.

Reference: Eisai is latest pharma to suffer ransomware attack
Incident: US Hospital Closes 2 Years after Cyberattack: Unprecedented Case

St. Margaret’s Health, a hospital in Spring Valley, Ill., announced in May 2023 that it will have to close its doors due to the financial impact of a ransomware attack. That attack, which occurred in 2021, crippled the hospital’s computer systems and prevented financial claims from being submitted to insurance companies and government agencies for several months. This resulted in significant financial difficulties for the facility.

Experts believe this is the first time a hospital has had to close due to a cyberattack.

Hospital management said a combination of factors, including the Covid 19 pandemic, the cyberattack and a shortage of staff, had made it impossible to keep operations going.

Reference: Cyberattack Forces St. Margaret’s Health –Spring Valley to Shut Down Computer Systems
Victim: St. Margaret’s Health

St. Margaret's Health, the premier provider of health care in the Illinois Valley since 1903.

Reference: A cyberattack is partly to blame for St. Margaret’s Health closing all operations
Reference: Cyberattack is a factor in Illinois hospital’s closure
Incident: Gentex Corp. Hacked; Ransomware Gang Leaks 5TB of Data

Gentex Corporation confirmed it suffered a ransomware attack a few months ago. Gentex issued a statement saying "the breach has not had an impact on our operations."

TechTarget Editorial received an email May 18, 2023 purportedly from a Dunghill operator claiming the group breached the Michigan-based technology and manufacturing company. The email contained a link to a Tor site that allegedly contained 5 TB of sensitive corporate data, including emails, client documents and the personal data of 10,000 Gentex employees such as Social Security numbers.

The Dunghill ransomware gang claimed responsibility for the attack a month ago: "Gentex has ignored fact of the data leak. Some defence part of data leaked too," a Dunghill representative wrote in the email.

In addition, Dunghill claimed it has shared the stolen data with manufacturers from China, India and the U.S. "because Gentex refused to cooperate." It did not address whether those manufacturers were Gentex competitors, partners or both. Gentex has not responded to follow-up questions at press time.

Threat Actor: Dunghill ransomware gang

Dunghill ransomware gang, a relatively new threat group.

On April 10, 2023 Zscaler revealed the Dark Angels ransomware group had launched a new data leak site and rebranded as Dunghill.

Victim: Gentex Corporation

Gentex Corporation is an American electronics and technology company that develops, designs and manufactures automatic-dimming rear-view mirrors, camera-based driver assistance systems, and other equipment for the global automotive industry.

Reference: Gentex confirms data breach by Dunghill ransomware actors
Reference: Auto supplier Gentex hit by ransomware attack
Reference: Auto supplier Gentex hit by ransomware attack
Incident: Siemens Energy AG Confirms Ransomware Attack

Cl0p ransomware group claimed the cyber attack on Siemens Energy and four other organizations including Schneider Electric and the University of California Los Angeles.

Siemens Energy spokesperson, Claudia Nehring, stated, “Regarding the global data security incident, Siemens Energy is among the targets. Based on the current analysis, no critical data has been compromised and our operations have not been affected. We took immediate action when we learned about the incident.”

Siemens Energy in-house ProductCERT team has not released any statements or updates regarding the alleged cyber attack. The team is responsible for handling all security-related matters pertaining to their products, solutions, and services.

Cl0p listed Siemens Energy on their data leak site. The group has been wreaking havoc on various organizations in recent weeks.

Victim: Siemens Energy AG

Siemens Energy AG is considered one of the world’s largest energy technology companies wih 91,000 employees in more than 90 countries.

Reference: Cyber Attack on Siemens Energy: Company Confirms the Incident
Incident: Shell Investigates Ransomware Attack by the Cl0p Group

Oil and Gas giant Shell ransomware attack conducted by the Clop gang exploiting a MOVEit zero-day vulnerability. The company is investigating the security breach and said that at this time the attack had no impact to its core IT systems.

The Clop ransomware gang claims to have hacked hundreds of companies. At the time of this writing, the Clop ransomware group already added 27 companies to the list of victims on its dark web leak site. The group claimed to have compromised the companies by exploiting the zero-day CVE-2023-34362.

In March 2021, Shell disclosed another data breach resulting from the compromise of an Accellion File Transfer Appliance (FTA) used by the company.

Reference: Oil and gas giant Shell is another victim of Clop ransomware attacks
Reference: (Zellis) Press statement on MOVEit Transfer data breach
Reference: BBC and British Airways affected by data breach at payroll company Zellis
Incident: Accellion-related Data Breach Reported by QIMR Berghofer

The QIMR Berghofer Medical Research Institute has also announced today a data breach caused by the Accellion FTA service and has provided more detailed information regarding what information was accessed.

According to the research institute, the data breach appears to have occurred on December 25, 2020, when threat actors accessed approximately 4 percent, or 620MB, of data stored on the Accellion FTA service.

QIMR Berghofer states that they received their first notification to install Accellion's patch on January 4th, 2021. It wasn't until February 2nd, 2021 that Accellion notified them that they had suffered a data breach.

"The first notification QIMR Berghofer received from Accellion was on 4 January 2021, when the company advised the Institute to apply a security patch. The Institute immediately took the software offline and applied the patch."

"Accellion notified QIMR Berghofer on Tuesday 2 February 2021 that it believed the Institute had been affected by the data breach, which has also affected a number of Accellion’s other Australian and international clients," QIMR Berghofer disclosed in a data breach notice on their website.

Victim: QIMR Berghofer Medical Research Institute

QIMR Berghofer Medical Research Institute (QIMR Berghofer) is an Australian medical research institute located in Herston, Brisbane

Incident: Accellion-related Data Breach Reported by Singtel

Singtel, the largest mobile carrier in Singapore, announced that they suffered a data breach caused by the Accellion FTA service's vulnerability.

"A third-party file sharing system provided by Accellion called FTA has been illegally accessed through a zero-day vulnerability or previously unknown vulnerability. Singtel uses this system to share information internally as well as with external stakeholders and organisations," Singtel announced in a security incident notification.

The telecommunications company has not disclosed what data has been accessed in the attack and states that they are currently investigating who was impacted.

Reference: Singtel, QIMR Berghofer report Accellion-related data breaches
Incident: Brunswick Corp. Recovering from Serious Cyberattack

Marine industry giant Brunswick Corporation suffered a serious breach on June 13. The incident affecting part of its computer systems and its facilities at sites around the world.

On June 22 the company reported that all of its main manufacturing facilities are back online. Most of its primary distribution centers are back up and running. The rest of its locations should restart within a few more days, the firm said. The Mercury Marine plant in Fond du Lac, Wisconsin was among the locations affected, a spokesperson told local media. The site was not fully shut down by the cyberattack and many employees remained at work. Brunswick's management teams are focused on ramping production back up and filling backorders created by the shutdown. The process of catching up will likely continue through the third quarter, the company said.

On August 22, the company CEO stated that the ransomware attack would cost it “as much as $85 million.” “We have the opportunity to recover some lost production and distribution across our businesses, which will partially offset lost days in the second quarter. However, lost production days on high horsepower outboard engines will be challenging to recover because the production schedule was already full for the balance of the year.”

Victim: Brunswick Corporation

Brunswick is a major supplier for law enforcement agencies, as well as small commercial boat operators in coastal and inland settings, and it has a range of engines and workboats designed for commercial use. It is known best for its portfolio of consumer brands, including Boston Whaler.

Reference: Brunswick Corp. Works to Recover From Cyberattack
Reference: Acer says server for repair technicians accessed by hackers
Reference: Dish Network lawsuits pile up after crippling ransomware attack
Reference: Dish Network Shares Hit 14-Year Low After Cyber Attack Caused Major Outage
Incident: Website Outage and Passenger Data Breach at Scandinavian Airlines

A recent multi-hour outage of Scandinavian Airlines (SAS) website and mobile app was caused by a cyberattack. The cyberattack caused passenger data to become visible to other passengers. This data includes contact details, previous and upcoming flights, as well the last four digits of the credit card number.

Reference: Scandinavian Airlines says cyberattack caused passenger data leak
Reference: Airline SAS network hit by hackers, says app was compromised
Incident: Hackers Demand $3M from Scandinavian Airlines (SAS)

The hacker group "Anonymous Sudan" has made an unexpected demand of $3 million from Scandinavian Airlines (SAS) in order to halt distributed denial-of-service attacks (DDoS) that have been targeting the airline's websites since February. Despite initially presenting themselves as politically-motivated hacktivists, the group appears to be resorting to using extortion tactics for financial gain.

On Monday, 29 May, Anonymous Sudan shared a ransom note on its Telegram channel claiming that SAS and its services have been paralyzed for more than five days. The company has responded to user complaints on Facebook, acknowledging an issue with its website and assuring customers that SAS is "working to resolve it quickly." SAS did not respond to The Record’s inquiries.

Meanwhile, Anonymous Sudan continues to escalate their demands, raising their initial price from $3,500 to a staggering $3 million. Anonymous Sudan first began targeting SAS in February, knocking its website offline and exposing some user data. Some customers who attempted to log in to the SAS mobile app were sent to others’ accounts and had access to their contact information and itineraries. The group blamed the burning of a Quran during demonstrations in January protests in Stockholm for motivating the attacks.

Anonymous Sudan followed up the incident with cyberattacks on Sweden’s national public television broadcaster, German airports, Danish hospitals, as well as Israeli banks, news websites, and, most recently, a missile warning system.

Threat Actor: Anonymous Sudan

Anonymous Sudan is not an authentic part of the Anonymous hacktivist movement but “most likely created as part of a Russian information operation to harm and complicate Sweden's NATO application,” according to a report published by Swedish cybersecurity company Truesec.

Truesec noted the Anonymous Sudan account on Telegram has its user location listed as Russia, and most of its targets are nations that support Ukraine in its fight against Russia. Other research from the Chicago-based company Trustwave found that there are indications that Anonymous Sudan is a sub-group of the Pro-Russian state-sponsored hacker group Killnet. Anonymous Sudan has openly associated itself with this group.

Trustwave also found some evidence that Anonymous Sudan is financially motivated, as it attempted to sell data stolen from French flag carrier Air France.

Although the group mainly carries out unsophisticated DDoS attacks, they can have serious consequences as they target critical facilities such as hospitals, airports, banks, and government institutions, the researchers said.

Reference: Hacker group Anonymous Sudan demands $3 million from Scandinavian Airlines
Incident: European defense contractor, Hensoldt, allegedly Victim of Snatch Ransomware Attack.

A French subsidiary of HENSOLDT AG, and part of its subsidiaries ("Nexeya"), have become the target of a serious cyber attack on its IT infrastructure in recent days. According to current information, both of Nexeya's data centers in France have been affected, and it is likely that a significant amount of data has been accessed and systems have been encrypted. Nexeya's ongoing operations have been impacted by this cyber attack.

A comprehensive investigation of the incident has been launched immediately, in close cooperation with the relevant authorities.

Work is proceeding at full speed to restore Nexeya's ongoing operations as quickly as possible. According to current knowledge, the IT infrastructure and data of other companies of the HENSOLDT Group are not affected.

Victim: Hensoldt

Hensoldt is a leading company in the European defence industry with global reach. Based in Taufkirchen near Munich, Germany

Reference: European defense contractor allegedly hit with ransomware
Reference: French subsidiary of HENSOLDT AG targeted by a serious cyber attack
Reference: Ingenico, new victim of Snatch cybercriminals after Hensoldt France and Hemeria
Reference: CERT EU report
Reference: Hemeria Group Data Breach: Palace of Versailles Denies Negotiating with Snatch
Victim: Hemeria Group

Hermeria Group specializes in the design, manufacture and assembly of equipment and systems for the space industry (including small satellites) and French deterrence.

Incident: Lockbit Attacks Portuguese Water Utility Company

Águas e Energia do Porto said on February 8 it had been hit with a cyberattack, with its security team able to limit the damage. Public water supply and sanitation were not affected by the attack.

The LockBit group added the company to its leak site on February 18, according to cybersecurity expert Dominic Alvieri. LockBit gave the utility until March 7 to pay a ransom, threatening to publish stolen information from Águas e Energia do Porto systems if the deadline passed without payment.

“Due to the incident, some customer services suffered constraints," the utility said. The company was still able to process customer requests at in-person service desks, and it urged people to get virtual service tickets that could be obtained instead of standing in line.

The utility did not respond to requests for comment about an update on the situation.

Victim: Águas e Energia do Porto

Owned by the city of Porto, it is one of the largest Portuguese water supply and wastewater sanitation companies, serving approximately half a million people. In addition to managing the water supply and wastewater, the company drains Porto's rainwater, controls about 85 kilometers of water lines, manages the city's waterfront, and more.

Reference: LockBit gang takes credit for attack on water utility in Portugal
Incident: Hackers disrupt IT network of Rome’s Public Utility and Power Company, ACEA

Acea's computer system network was restored 4 days after the cyber attack by the Black Basta ransomware group.

“The Group's websites and the online platforms for managing the commercial aspects of water, electricity and gas supplies are operational, as well as – from Saturday – the contact center service of the Group companies for customers" The Company reiterates "that the IT disruption generated by the cyber attack did not affect the essential electricity and water distribution services which have always been regularly guaranteed".

The Italian cybersecurity agency says at least a dozen hacks are likely tied to the BlackBasta ransomware group. Investigators say the ransomware campaign may have hit thousands of organizations worldwide since Thursday. The first attack was against energy company Acea.

Victim: ACEA

Rome's Public Utility and Power Company

Reference: BlackBasta Blamed for Global Attacks on VMware ESXi Servers
Reference: Acea: “After the hacker attack, the operations of the IT systems have been restored”
Incident: Pro-Ukrainian Hacktivist Groups Claim Disabling over 1000 Network Routers in Russia

The pro-Ukraine hacktivist group TeamOneFist and RoughSec conducted the operation "Turn Ruzzia Off" and claim it demolished or disabled some 1,260 network routers in 48 hours.

The operations combined 3 missions to attack Rostelecom and Beeline ISPs with the objective of creating Internet and VoIP phone outages across all of Russia in government buildings, military facilities and Oligarch homes. The goal of the attack was to cripple Russian war logistics and slow down the Russian process of reinforcing their army in Ukraine.

Threat Actor: Anonymous RoughSec

Anonymous RoughSec is a pro-Kyiv cyber threat actors and a sub-group of the decentralised Anonymous collective.

Victim: Beeline

Beeline (Russian: Билайн), formerly Bee Line GSM (Russian: Би Лайн GSM) is a telecommunications brand by company PJSC VimpelCom, founded in Russia.

PJSC VimpelCom is Russia's third-largest wireless and second-largest telecommunications operator.[ Its headquarters are located in Moscow.

Victim: Rostelecom

Rostelecom is Russia’s largest provider of digital services for a wide variety of consumers, households, private businesses, government and municipal authorities, and other telecom providers. Rostelecom interconnects all local public operators’ networks into a single national network for long-distance service.

Reference: Pro-Ukrainian hackers hacked more than 1 000 routers across Russia – “Operation Turn Ruzzia Off”
Incident: Critical Infrastructure Disrupted in Martinique by Prolonged Cyberattack

The Caribbean island of Martinique is dealing with a cyberattack that has disrupted internet access and other infrastructure for weeks. The attack began on May 16, forcing officials to isolate the affected systems. Cybersecurity experts were mobilized to help gradually restore their operations.

“Regarding education services, technical solutions are being set up to restore internet access to colleges and high schools. School administrators and the government are coordinating in order to ensure the smooth handling of exams. The government will make every effort to ensure the payment of social benefits,” officials said in a statement.

“Regarding financial services, the community will be able to issue new purchase orders and ensure the payment of bills. These must be filed in paper format from the mail office in Plateau Roy. Concerning aid and subsidy services, the filing of requests must be made in paper format to the office in Plateau Roy due to the unavailability of online platforms.”

Threat Actor: Rhysida Ransomware Group

Because Rhysida ransomware first appeared in May 2023, not much is known about the ransomware or the group at this time [June 2023].

They do not seem to be listing victims to warn them publicly before leaking information. The only entries on the site currently are the ones that they have leaked totally. None of the listings indicate when Rhysida attacked or encrypted the victims.

Reference: Caribbean island of Martinique dealing with cyberattack that disrupted government services
Incident: Disruption of online vote in Martinique

The platform for the online vote on a flag and anthem for the French overseas department of Martinique had to be taken offline, on January 4, 24 hours after the start of the vote. The reason for the disruption was reported to be a cyberattack.

The attack on government servers upended a nearly two-week online voting window that began on Jan. 2. Officials said the attack was not successful but forced them to temporarily shut down the system.

Victim: Martinique

Martinique has a population of about 360,000 and is controlled by France, serving as an outermost region of the European Union.

Reference: Cyberattack halts Martinique’s search for new flag, hymn
Reference: Cybersecurity Brief Cert-EU
Incident: Ransomware Attack at Royal Mail Disrupts International Operations more than a Month

The LockBit ransomware operation has claimed the cyberattack on UK's leading mail delivery service Royal Mail that forced the company to halt its international shipping services due to "severe service disruption."

Royal Mail refused to pay an $80m (£67m) ransom sought by hackers linked to Russia after the “cyber incident”, which resulted in 11,500 Post Office branches across the UK being unable to handle international mail or parcels fro almost six weeks after the attack. The company has said it is losing £1m a day.

Victim: Royal Mail

International Distributions Services plc, trading as Royal Mail, Parcelforce and GLS, is a British multinational postal service and courier company, originally established in 1516 as a government department. The company's subsidiary Royal Mail Group Limited operates the brands Royal Mail and Parcelforce Worldwide

Reference: Royal Mail resumes overseas deliveries via post offices after cyber-attack
Reference: LockBit ransomware gang claims Royal Mail cyberattack
Incident: German Software Provider Bismarck Suffers Data Leak

On January 23, media reports suggested that Bitmarck, an IT service provider for
German health insurance companies, had suffered a data leak. A cybercrime group
reportedly extracted data from the company’s Jira project management and
databases and put it up for sale. There is no indication that any personal health
data was exposed.

Victim: Bitmarck

BITMARCK is a leading provider of IT solutions for the German public health insurance market, offering services to a variety of health insurers, including company and craft guild insurers, DAK-Gesundheit, and alternative insurers.

Reference: eHealth: 300,000 insured accesses affected by Bitmarck leak
Incident: Entire Data Centers Taken Offline at Giant German IT Service Provider Bitmarck

Bitmarck, one of the largest IT service providers within Germany’s statutory health insurance system, announced on Sunday it had taken all of its customer and internal systems offline due to a cyberattack.

Bitmarck, which employs around 1,600 people, said that the customer and internal systems were

Taking these services offline impacts a range of individuals and organizations associated with Bitmarck’s services, particularly those who rely on the company to issue electronic sickness certificates used in Germany to pay employees’ leave. Bitmarck also warned that pharmacies it works with may also experience technical problems.

In its statement, the company said disruptions were likely to continue “for the foreseeable future,” as entire data centers were taken offline and restarting these was likely to be accompanied by temporary service failure.

“We very much regret the inconvenience caused to our customers, service providers and insured persons and are working to restore the systems as quickly as possible,” the company stated.

Reference: Bitmarck, one of Germany’s largest IT providers, hit by cyberattack
Incident: Widespread Disruption at Norton Healthcare Operations after Ransomware Attack

Norton Healthcare says it has been victimized by a "cyber-event," and some of its computer network systems have been offline. Patient appointments, surgeries, emergency care and online services were all affected.

The BlackCat ransomware group claims responsibility for the attack and says to have exfiltrated 4.7 TB of data.

The effects of the attack are still impacting the health system’s network and services over a month later. With some communication platforms back in full operation, problems with the distribution of testing and imaging results, and [re]scheduling of procedures, exams persisted.

Reference: Cyberattack on Norton Health spurs long waits, prescription and lab delays
Victim: Norton Healthcare Services

Norton Healthcare serves nearly 600,000 patients across Louisville, KY a year. It has $4.7 billion worth of assets with five hospitals, eight outpatient centers, 18 urgent care clinics, and 289 doctor’s offices.

Reference: Norton Healthcare hit with ‘cyber-event’ amid ongoing computer system shutdowns
Incident: Data Breach at Luxottica’s Eyemed Vision Affects 820K Patients.

Luxottica disclosed that their appointment scheduling application suffered a data breach after being hacked on August 5th, 2020. The breach has exposed the personal and protected health information of 829,454 patients at partner eye care practices. Luxottica's Eyemed division partners get access to a web-based appointment scheduling application.

This data breach announcement comes on the heels of a Nefilim ransomware attack on Luxottica. This September 2020 attack caused significant outages, interruptions, and theft of unencrypted files.

Reference: Luxottica data breach exposes 820K EyeMed, LensCrafters patients
Reference: Eyewear giant Luxottica hit by Windows Nefilim ransomware, data leaked
Incident: Ransomware Attack Affects Worldwide Operations of Italian Eyewear Giant Luxottica

Italy-based eyewear and eyecare giant Luxottica has reportedly suffered a ransomware attack that has led to the shutdown of operations in Italy and China and data leaked on the dark web. .

Union sources confirmed to Italian media Ansa that the employees were sent home due to "serious IT problems." The ransomware attack affected the company worldwide, and for days offices were not fully operational.

Security official Nicola Vanin stated in a LinkedIn post "Once the event was analysed, the clues were collected in less than 24 hours and the procedure for cleaning up the affected servers began. Work activities are gradually returning to normal in the #Milano plants and headquarters."

He also stated that "There is currently no access or theft of information from users and consumers." However a month later the Windows Nefilim ransomware group leaked financial and human resources operations data on the dark web.

Reference: Ray-Ban owner Luxottica confirms ransomware attack, work disrupted
Incident: Luxottica Eyewear Group discloses 2021 Attack Affecting 70M Customers

Luxottica Group confirmed in May 2023 that one of its partners suffered a data breach in 2021. The breach exposed the personal information of 70 million customers. It was discovered after data was put up for sale on the dark web.

Andrea Draghetti, the leading researcher of the Italian cybersecurity firm D3Lab, analyzed the leaked data. She confirmed to BleepingComputer that it contains 305 million lines, 74.4 million unique email addresses, and 2.6 million unique domain email addresses.

Draghetti also determined the exfiltration date to be March 16th, 2021. This meant that the data likely originated from a previously undisclosed data breach.

Victim: Luxottica Group S.p.A.

Luxottica Group S.p.A. is an Milan-based eyewear conglomerate and the world's largest eyewear company, glasses, and prescription frames maker, and the owner of popular brands like Ray-Ban, Oakley, Chanel, Prada, Versace, Dolce and Gabbana, Burberry, Giorgio Armani, Michael Kors, and many other.

Luxottica employs over 80,000 people and generated 9.4 billion in revenue for 2019.
The company also operates Eyemed, a vision insurance company in the US.

Reference: Luxottica confirms 2021 data breach after info of 70M leaks online

Incident: Vesuvius Industrial Manufacturer Discloses $4.6M Cost as Result of Cyber Incident

Vesuvius, a UK-based molten metal flow engineering company issued an alert on February 6, 2023, which stated it was “currently managing a cyber incident, [which] has involved unauthorized access to our systems.” The London Stock Exchange-listed ceramics manufacturer disclosed in May that the perplexing cyber incident will incur a hefty cost of $4.6 million.

The exact nature of the incident remains shrouded in secrecy, as the company has refrained from providing specific details.

Notably, Vesuvius is the second British industrial ceramics manufacturer to disclose a cyber incident in 2023. In January, Morgan Advanced Materials, a company specializing in semiconductor production, also submitted a cybersecurity incident notice to the London Stock Exchange.

Victim: Vesuvius

Vesuvius is a global leader in molten metal flow engineering and technology

Reference: Vesuvius Faces Costly Consequences of Cyber Incident
Reference: UK Engineering Company Vesuvius Hit by Cyber Attack
Incident: Sysco, Global Food Distributor, Hit in Cyberattack

Global food distributor, Sysco fell victim to a “cybersecurity event” at the beginning of the new year where the attacker gain information on workers and the company.
Sysco said in a 10-Q report, “on March 5, 2023, Sysco became aware of a cybersecurity event perpetrated by a threat actor believed to have begun on January 14, 2023. Immediately upon detection, Sysco initiated an investigation, with the assistance of cybersecurity and forensics professionals.
“The investigation determined that the threat actor extracted certain company data, including data relating to operation of the business, customers, employees and personal data. This data extraction has not impacted Sysco’s operational systems and related business functions, and its service to customers continued uninterrupted."
The incident affected 126,243 people. It took the company just under two months to discover the breach. They notified victims earlier this month. In essence from breach to notifying victim, it took the company almost five months.

Reference: Sysco Hit In ‘Cybersecurity Event’
Victim: Sysco

A multinational company headquartered in Houston, Texas, Sysco is one of the largest distributors of food products, kitchen equipment, smallware, and tabletop products to restaurants, lodging establishments, healthcare and education organizations, and other entities.

Incident: Philadelphia Inquirer Unable to Print Sunday Paper

The Philadelphia Inquirer was hit with a cyberattack that resulted in significant disruptions to its operations. It was unable to print its Sunday paper on May 14, and it had to scramble to restore several systems. The paper closed its office through Tuesday and the newspaper is working with “third-party forensic specialists from Kroll to restore systems and fully investigate the matter,” according to the emailed statement.

With the timing of the attack right before the city’s mayoral primary election, political motivation is a possibility. The Philadelphia Inquirer has not made any ransom demands public, nor is it clear if the information of employees or customers has been compromised, according to The Philadelphia Inquirer coverage.

Victim: The Philadelphia Inquirer

Newspaper in PA

Reference: Cyberattack Takes Down Systems at Philadelphia Inquirer
Incident: Ransomware Attack at German Furniture Company Häfele.

German kitchen system specialist Hafele was hit by a ransomware attack at its headquarters on the night of Feb. 2, 2023. The attack targeted the IT systems of the Häfele Worldwide Group from an external source. According to the company, the shutdown of our systems is now being followed by a gradual and controlled reactivation, the company said in a statement on its website. The company did not say when it would be fully operational.

UPDATE: Häfele was able to rebuilt its 50+ country, 180-site network in under 30 days with the help of SASE.

Victim: Häfele

Häfele , German kitchen system specialist

Reference: Häfele IT systems down after cyber attack
Reference: Häfele Recovers from Ransomware Attack using SASE
Incident: Systems Shut Down at Stiles Machinery after Cyberattack

Stiles Machinery has detected a cyber-attack on its IT systems. The Grand Rapids-based equipment supplier announced that it had detected the attack and shut down its systems to protect its system.

The company issued a statement: "Out of an abundance of caution, we have decided to completely shut down our systems while we investigate the situation further. The security and data of our customers and business partners are one of our highest priorities. Currently, we have no indication of any data loss. We are working to restore operations to full functionality as soon as possible."

Victim: Stiles Machinery

Grand Rapids-based equipment supplier

Reference: Stiles Machinery detects cyber attack
Incident: Production at Canadian Tool Manufacturer Exco Technologies Interrupted

A Canadian-based international manufacturer of die cast tools and car parts has been the victim of a cyber attack. Exco Technologies said Monday that three production facilities within its Large Mould Group are recovering from a cyber incident last week. The Toronto-headquartered company temporarily disabled some computer systems as it investigated this incident. It is in the middle of bringing these systems back online, and expects operations to be substantially restored over the next two weeks.

Shipments to customers have not and are not expected to be materially interrupted. The statement didn’t detail the kind of attack, or whether personal or corporate data was accessed. It said independent experts have been retained to help the company in dealing with the matter.

Reference: Exco Technologies Limited Announces Cyber Security Incident
Victim: Exco Technologies

Exco Technologies, Canadian tool manufacturer

Reference: Canadian tool manufacturer hit by cyber attack
Incident: Attack Disables Irrigation Systems and Disrupts Water Treatment Processes

Water controllers for irrigating fields in the Jordan Valley were damaged, as were control systems for the Galil Sewage Corporation. Several water monitors – which monitor irrigation systems and wastewater treatment systems – were left dysfunctional on Sunday after a cyber attack targeted the monitoring systems. Specifically, water controllers for irrigating fields in the Jordan Valley were damaged, as were control systems for the Galil Sewage Corporation.

The management for both major systems was pushing all of Sunday morning to work through the issue and bring the systems back into full operation. Farmers in the region were warned several days prior about suspicions over a planned cyber attack. Some of them, as a result of the warning, disconnected the remote control option for their irrigation systems and switched them to manual operation, instead, to prevent any harm from the attack. Indeed, those who left their systems on remote control were the ones impacted by the attack.

The attack is thought to be part of an annual “hacktivist” campaign that takes place every April, and this year’s attempt at least managed to cause a nuisance for some farms in the Jordan Valley. The cyber attack is part of an annual campaign called “OpIsrael,” which strikes in April with DDoS attacks and breach attempts on targets in the country.

Each year of the cyber attack campaign seems to bring new targets of opportunity. This year the threat actors put a special focus on irrigation systems. The Galil Sewage Corporation was one of the targeted wastewater processors that was breached, and the company reports that the cyber attack blocked several controllers for about a day and disrupted some treatment processes.

Victim: Galil Sewage Corporation

Galil Sewage Corporation, Israel

Reference: Cyber attack leaves irrigation systems in Upper Galilee dysfunctional
Reference: Irrigation Systems in Israel Hit With Cyber Attack That Temporarily Disabled Farm Equipment
Incident: Cyberattack Halts Production at Factories of Suzuki Motorcycle India

Suzuki Motorcycle India – the Japanese two-wheeler maker has been compelled to stop production at its factories due to a “cyber-attack” on its operations. According to several people in the know, the production has been stalled since Saturday, May 10, and it is estimated to have incurred a production of loss of over 20,000 vehicles in this timeframe.

As part of its measures to address the situation at hand, a few days ago, Suzuki Motorcycle informed its ecosystem that due to an “unprecedented business requirement”, it has postponed its annual supplier conference, which was scheduled to be held next week.n as saying.

Victim: Suzuki Motorcycle India

Suzuki Motorcycle India, Private Limited is the wholly owned Indian subsidiary of Suzuki, Japan. It was the third Suzuki automotive venture in India.

Reference: Suzuki Motorcycle India plant shut for a week due to cyber-attack
Reference: Hi by Cyberattck Suzuki Motorcycle India Halts Production at its Factories
Incident: DDOS Hacktivist Attack at Quebec’s Power Utility

A pro-Russian hacking group has claimed responsibility for a cyberattack against Quebec's state-owned electricity provider. Hydro-Québec said on Thursday it was hit with a denial-of-service attack at approximately 3 a.m. ET and was working to try to get its website up and running again. Hydro-Québec's website, app and Info-Panne website for verifying power outages went offline.

"No critical Hydro-Québec systems were attacked and users' personal data was not compromised," said Philippe Archambault, head of media and government affairs for the utility. He said the cybersecurity team is working on restoring service.

"This is not a case of hacking and getting access to the information at the back end, at least not at this time, not with this type of tech," Waterhouse said. "It's really just to protest against Canada's involvement with Ukraine."

Victim: Hydro-Québec

Hydro-Québec is a public utility that manages the generation, transmission and distribution of electricity in the Canadian province of Quebec, as well as the export of power to portions of the Northeast United States. It was established by the Government of Quebec in 1944 from the expropriation of private firms.

Reference: Pro-Russian group claims responsibility for cyberattack against Hydro-Québec
Incident: DDOS Cyberattack at Canadian Primary Eastern Seaports: Halifax, Montreal and Quebec.

On April 14, 2023, in the early morning hours, the Port of Halifax in Nova Scotia and the Ports of Montreal and Quebec suffered a “distributed denial of service” (DDOS) cyberattack. Unlike ransomware attacks, these attacks flood network servers with so much internet traffic that it overwhelms a website, rendering it inaccessible or useless for legitimate users. The attacks appeared to be directed at the ports’ websites, causing them to crash for several hours. Further, Quebec’s state-owned electricity provider Hydro-Quebec also experienced a similar cyber assault the next morning.

Despite these attacks, it appears none of the ports’ operations or internal systems were impacted by the incident. The Port of Halifax’s spokesperson Lane Ferguson emphasized that their “internal systems continue to operate normally” and “port operations have not been affected.” Similarly, the spokesperson for the Port of Montreal asserted that the port’s security team had confirmed the port operations were unaffected and there was no risk of a data breach.

Afterwards, a pro-Russian hacking group called NoName057(16) took responsibility for the cyberattack and asserted it would continue to target Canada. This cyber assault is only the latest of several cyber issues that global ports and maritime infrastructure have suffered recently.

Threat Actor: NoName057(16)

The pro-Russian hacktivist group NoName057(16) is primarily focused on disrupting websites important to nations critical of Russia’s invasion of Ukraine – DDoS attacks act as the method to conduct such disruption efforts.

Victim: Port of Montreal

Port of Montreal, QC, Canada

Victim: Port of Quebec

Port of Quebec, QC, Canada

Victim: Port of Halifax

Port of Halifax, Nova Scotia

Reference: Maritime Industry Hit by Yet Another Swell of Cyberattacks
Reference: Fourth-Largest Generic Drugs Manufacturer Sun Pharmaceuticals Hit by Ransomware Attack
Incident: Databreach Impacts Business Operations at Sun Pharmaceutical

A ransomware group has claimed responsibility for 'IT security incident' at Sun Pharma whose effect included breach of certain file systems and the theft of certain company data and personal data, the drugmaker said in a stock exchange filing. "As part of the containment measures, we proactively isolated our network and initiated the recovery process. As a result of these measures, Company’s business operations have been impacted," it said. "Consequently, revenues are expected to be reduced in some of our businesses. The Company would incur expenses in connection with the incident and the remediation."

Sun Pharma first reported the incident on March 2. Back then it said that the incident did not affect Sun’s core systems and operations. On March 27 the company said it is currently unable to determine other potential adverse impacts of the incident.

Victim: Sun Pharmaceutical Industries Limited

Sun Pharmaceutical Industries Limited is an Indian multinational pharmaceutical company headquartered in Mumbai, that manufactures and sells pharmaceutical formulations and active pharmaceutical ingredients in more than 100 countries across the globe.

Reference: Sun Pharma eyes revenue hit due to ransomware attack
Incident: Rheinmetall’s Automotive Sector Hit by Cyberattack

German automotive and arms manufacturer Rheinmetall suffered a cyberattack on Friday, the company said. The attack hit Rheinmetall’s business unit that serves industrial customers, particularly in the automotive sector. The company’s defense division — which produces military vehicles, weapons, and ammunition — remained unaffected and continues to operate “reliably,” Rheinmetall’s spokesperson Oliver Hoffmann said in an email to Recorded Future News. Rheinmetall is currently investigating the extent of the damage and is in close contact with the relevant cybersecurity authorities, Hoffmann said.

UPDATE September '23, Reuters: “Normal production processes at these locations are currently experiencing significant disruption,” Rheinmetall said in a statement late on Thursday. “The IT infrastructure in the region has been shut down and is currently being rebuilt”,

The timing of the attack aligned with Rheinmetall's talks of constructing a new tank factory in Ukraine.

Victim: Rheinmetall AG

Rheinmetall AG is a German automotive and arms manufacturer, headquartered in Düsseldorf, Germany

Reference: German arms manufacturer Rheinmetall confirms cyberattack
Incident: German Biotechnology Company Evotec Shuts Down IT Systems

Evotec SE, the German biotechnology company, recently succumbed to a cyberattack. In a communiqué, the company said it preemptively shut down its IT systems as a result of the attack, disconnecting them from the internet. Evotec noted that its IT team is currently examining its IT systems to review the scope of the attack. “Highest diligence will be applied to data integrity,” it added in an announcement. Its Nasdaq shares appeared to be unaffected by the revelation, which described a IT network intrusion occurring on April 6.

The company has informed relevant authorities and said it had disconnected selected IT systems, but that it maintains business continuity at all global sites, prioritizing data integrity.

Victim: Evotec SE

Evotec SE (Nasdaq:EVO), the German biotechnology company

Reference: Evotec joins list of recent cyberattack targets in pharma
Reference: TECHNOLOGY Oakland police union files claim against city, seeks damages over ransomware attack
Reference: Oakland declares local state of emergency over ransomware attack
Reference: CRIME Oakland acknowledges ransomware attack has worsened with massive new release of personal info
Incident: Lacroix Hit in Cyberattack

Global electronics maker, Lacroix, suffered a cyberattack that left three operating sites shut down, company officials said.
Lacroix said during the night of Friday May 12 to Saturday May 13, it intercepted a targeted cyberattack on the French (Beaupréau), German (Willich) and Tunisian (Zriba) sites of the electronics activity.
The company said it immediately took measures to secure all the Group’s other sites.
“Prior to restarting the systems of these sites, investigations are underway to ensure that the attack is completely contained,” the company said in a statement. “However, some local infrastructures have been encrypted and an analysis is also being carried out to identify any exfiltrated data.
The activity of these three sites represents 19 percent of the group’s total sales in 2022. The company does not feel there will be any significant impact on the performances for the Group.

Reference: Electronics manufacturer Lacroix closes three factories after cyberattack
Incident: City of Dallas Operations Widely Disrupted by Ransomware Attack

The City of Dallas, Texas, has suffered a Royal ransomware attack, causing it to shut down some of its IT systems to prevent the attack's spread. Local media reported that the City's police communications and IT systems were shut down Monday morning due to a suspected ransomware attack. This has led to 911 dispatchers having to write down received reports for officers rather than submit them via the computer-assisted dispatch system. The Dallas County Police Department's website was offline for part of the day due to the security incident.

"Wednesday morning, the City’s security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment. Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website," explained a media statement from the City of Dallas. "The City is currently working to assess the complete impact, but at this time, the impact on the delivery of City services to its residents is limited. Should a resident experience a problem with a particular City service, they should contact 311. For emergencies, they should contact 911."

BleepingComputer has also confirmed that the City's court system canceled all jury trials and jury duty from May 2nd into today, as their IT systems are not operational. Dallas is the ninth largest city in the United States, with a population of approximately 2.6 million people.

Reference: Cyberattack Shuts Down 3 Lacroix Plants
Victim: Lacroix

Lacroix designs and manufactures electronic equipment in the automotive, home automation, aerospace, industrial and health sectors. It also provides safe, connected equipment for the management of critical infrastructures such as smart roads and the management and operation of water and energy systems.

Reference: City of Dallas hit by Royal ransomware attack impacting IT services
Reference: Ransomware attack hampering Dallas police operations
Victim: The City of Dallas

The City of Dallas, TX, USA

Incident: Ransomware Disrupts Operations at Italian Water Management Company

Alto Calore Servizi SpA, an Italian company that provides drinking water to nearly half a million people said a recent hack rendered all of their IT systems unusable.

The company runs the collection, supply and distribution of drinking water for 125 municipalities Avellino and Benevento — two provinces in southern Italy. “It will not be possible to carry out any operations or provide information that requires querying the database,” the company said.

The organization did not respond to requests for comment about whether customers are impacted by the incident, but it appears the distribution of water is not affected by the attack.

The Medusa ransomware group took credit for the attack and said it took customer data, contracts, minutes from board meetings, reports, pipe distribution information, expansion documents and more.

Victim: Alto Calore Servizi SpA

Alto Calore Servizi SpA, an Italian company that provides drinking water to nearly half a million people manages 58 million cubic meters of water a year.
The company runs the collection, supply and distribution of drinking water for 125 municipalities Avellino and Benevento — two provinces in southern Italy. The government-run company also manages sewage and purification services for both provinces.

Reference: Italian water supplier serving 500,000 people hit with ransomware attack
Reference: Court records were lost in debilitating Vanuatu cyber attack
Incident: Qullig Energy Corporation Servers in Nunavut Territory Hit by Wide-ranging Cyberattack

A wide-ranging cyberattack on the Qulliq Energy Corporation (QEC) in Canada’s Nunavut territory has crippled the company’s administrative offices. Officials with the company said the attack started on January 15 and while power plants are still operating normally, computer systems at the corporation’s customer care and administrative offices are unavailable.
The company cannot accept bill payment through credit cards but customers can pay using cash or through bank transfers. Customers are warned to watch their bank and credit card accounts regularly for unusual activity. They are also being told to consider changing personal passwords for sensitive applications such as email and online banking.

Victim: Qulliq Energy Corporation (QEC)

Qulliq Energy Corporation is a Canadian territorial corporation which is the sole electricity utility and distributor in Nunavut. It is wholly owned by the Government of Nunavut. Its name is derived from the qulliq, a traditional oil lamp used by Inuit and other Arctic indigenous peoples.

Reference: Cyberattack on Nunavut energy supplier limits company operations
Reference: Qulliq Energy stops short of labelling cyberattack another Nunavut ransomware incident
Reference: Ransomware attack exposes California transit giant’s sensitive data
Incident: T-Mobile Data Breach Hits 37 Million

U.S. wireless carrier T-Mobile said an unidentified malicious intruder breached its network in late November and stole data on 37 million customers, including addresses, phone numbers and dates of birth.

T-Mobile said in a filing with the U.S. Securities and Exchange Commission that the breach was discovered Jan. 5. It said the data exposed to theft — based on its investigation to date — did not include passwords or PINs, bank account or credit card information, Social Security numbers or other government IDs.

"Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time," T-Mobile said, with no evidence the intruder was able to breach the company's network. It said the data was first accessed on or around Nov. 25.

T-Mobile, based in Bellevue, Washington, became one of the country's largest cellphone service carriers in 2020 after buying rival Sprint. It reported having more than 102 million customers after the merger.

Reference: T-Mobile says breach exposed personal data of 37 million customers
Incident: T-Mobile Hit Again

While it may seem like a small attack, T-Mobile disclosed its second data breach this year after the company found attackers accessed personal information of over 800 customers in late February.
The first breach, which the company discovered in early January, hit 37 million customers. This attack affected 836 customers, according to a notification to the Maine Attorney General’s office.
The breach occurred between Feb. 24 and March 30, according to the notification. The Bellvue, Washington-based T-Mobile said it discovered the issue March 27. The information the attackers acquired entailed name and driver’s license number or non-driver identification card number.

Reference: Another T-Mobile Data Breach
Victim: T-Mobile

Wireless service provider.

Incident: ABB Hit in Cyberattack, Operations Suffer

Swiss multinational company ABB, an electrification and automation technology provider, suffered a cyberattack that disrupted its operations.
Zurich, Switzerland-based ABB released a statement on the incident:
“ABB recently detected an IT security incident that directly affected certain locations and systems.
“To address the situation, ABB has taken, and continues to take, measures to contain the incident. Such containment measures have resulted in some disruptions to its operations which the company is addressing. The vast majority of its systems and factories are now up and running and ABB continues to serve its customers in a secure manner.

Reference: ABB Suffers Cyberattack
Reference: Multinational tech firm ABB hit by Black Basta ransomware attack
Victim: ABB

The automation industry giant is also a major electrical equipment and robotics company and reported a revenue of nearly $30 billion in 2022 and has more than 105,000 employees across the globe. ABB also “operates more than 40 U.S.-based engineering, manufacturing, research and service facilities

Page: Request Access to the 2024 Threat Report

Victim: Khanty-Mansiysk city,Russia

As the world's second biggest oil producing region (before western sanctions hit Russian oil) Khanty Mansi was the center of the old Soviet oil industry.

Reference: Team OneFist Destroys Natural Gas System At Russian Oil Hub, Knocks Power Plant And Airport Offline
Incident: Taxi Ride Hailing Service in Quebec Hacked

A ransomware gang breached Taxi Coop Quebec's ride hailing back-end systems. During the attack, staff at the coop shut down all servers while they recovered from the attack. After 2.5 hours, at 4:30 AM, 90% of system functionality was restored and taxis could be dispatched again.

Reference: Taxis Coop Québec victim of a cyberattack
Victim: Taxi Coop – ride hailing service

Taxi Coop Quebec's ride hailing service

Incident: System Outage at Maple Leaf Food Manufacturer in Canada after Ransomware Attack

Maple Leaf Foods has confirmed that it was struck by ransomware. The company stated that it will not pay any ransom. And expects "full resolution of the outage will take time and result in some operational and service disruptions." "The outage is creating some operational and service disruptions that vary by business unit, plant and site." This confirmation comes after the Black Basta ransomware gang listed Maple Leaf Foods as one of its victims. IT World Canada reached out to confirm if Black Basta was responsible for the ransomware attack. A Maple Leaf Food representative said that the company “won’t dignify criminals by naming them.”

UPDATE: On March 9, four months after the incident, the company released the financial results that showed the attack costing over US$16,5M. Maple Leaf Foods President and Chief Operating Officer Curtis Frank said: "We are immensely proud of how our team responded in the face of this crisis. In less than 48 hours, we were able to pivot our organization to operate in a fully manual process, basically going back to paper and pencils. With remarkable pace, our information systems team cleaned, rebooted and restored our systems, allowing us to start back on the road to recovery."

Victim: Maple Leaf Foods

Maple Leaf Foods Inc. is a Canadian consumer packaged meats company.

Reference: Maple Leaf Foods confirms cyberattack, will not pay ransomware gang
Reference: Canada’s Maple Leaf Foods hit by cyberattack
Reference: Hacking at Cartonnerie Gondardennes deciphered by Damien Bancal, journalist specializing in cybersecurity
Incident: Hackers Shut Down Production at Cartonnerie Gondardennes in France

A cardboard box manufacturer in Wardrecques, France was hit by a cyberattack, most likely ransomware (Fr: "piratage"). Production was shutdown, and workers sent home. News reports are all in La Voix Du Nord which unfortunately is paywalled, but the headlines and synopsis says enough. The company's systems were decrypted by a journalist, Damien Bancal, and ransom was not paid.

Victim: Cartonnerie Gondardennes

French manufacturer of corrugated board and packaging made from recycled paper.

Incident: OT Systems Impacted at HiPP, a German Baby Food Manufacturer

HiPP, a Pfaffenhofen, Bavaria based baby food manufacturer was hit by a cyber attack which affected it IT and OT systems. The company sells its baby food worldwide. The company was not forthcoming with many details as to the nature of the attack, but the Central Office for cybercrime Bavaria (ZCB) was involved in the investigation into the incident. Production was halted for days after the incident, and over 1,000 employees were not able to work and sent home.

Reference: HiPP hacked
Incident: Novosibirsk Transportation System Attacked by pro-Ukranian Hacker Group

Pro-Ukrainian hacktivist collective Team OneFist, allegedly created with the help of the IT Army of Ukraine, attacked the Novosibirsk City Transport Traffic Management System in Operation Yellow Submarine beginning at September 2nd, 2022. OneFist's founder, named "Voltage" (@SpoogemanGhost), claimed that the operation was "long-planned" and that the IT infrastructure had been breached about a month before the attack.

Due to the attack, city transportation officials were unable to have visibility over traffic conditions and coordinate their flows. The automated bus scheduling system as well as the electronic signs on buses and trolleys were damaged to hamper quick restoration and recovery. Voltage also explained that the attack paralyzed the city and the traffic problems remained for several days until the system was restored, forcing many commuters to walk. During the attack, Team OneFist downloaded the data and was in the process of deleting data when the Russian officials mitigated the damage by removing access to the system.

Threat Actor: Team OneFist

Group of volunteer cyber operatives newly founded in 2022 and making waves by taking on Russia, imposing costs and pain on the Russian economy.

Victim: Novosibirsk City Transport, Russia

Novosibirsk City

Reference: Pro-Ukrainian Team OneFist attacks Novosibirsk transportation system in Operation Yellow Submarine in September 2022
Reference: Russians In Novosibirsk Forced To Pound Pavements As Team OneFist Paralyzes Traffic – Exclusive
Incident: Hackers Paralyzed Computer System at Austrian Light Manufacturer EGLO

Ransomware attack has paralyzed the global group's computer system since Monday.

The Tyrolean lighting company Eglo, based in Pill (Schwaz district), has fallen victim to a cyber attack. As the " Tiroler Tageszeitung " (Wednesday edition) reported, the globally active group with 5,700 employees had been struggling with a global failure of the computer system and telephone system since Monday. A technical breakdown was finally ruled out on Wednesday. The ransomware attack happened on Monday night.

The attack impacted production for 12 days. Orders could not be processed or shipped.

Victim: EGLO

EGLO is an Austrian family business and a manufacturer of living room and outdoor lights as well as light sources with a focus on LEDs. The company headquarters are in Pill (Tyrol). The company operates worldwide with 5,500 employees and 94 sales companies.

Reference: Tyrolean lighting manufacturer Eglo hit by cyber attack
Incident: Ransomware Attack Halts Public Postal Services in Greece

Ransomware hit ELTA encrypting its systems and halting operations in a major service disruption. "Threat actors exploited an unpatched vulnerability to drop malware that allowed access to one workstation using an HTTPS reverse shell." To stop the spread, they shut down all data centers. Online parcel tracking and labelling is also down for customers. Full service was restored by April 6th. The attack affected mail system, financial transactions and bill payments.

Victim: Hellenic Post, ELTA

National postal services in Greece

Reference: Greece’s national postal service restoring systems after ransomware attack
Reference: Greece’s public postal service offline due to ransomware attack
Incident: Cyberattack Significantly Reduced Caledonian Modular’s Operating Capability

Offsite specialist Caledonian Modular was hit by a catastrophic cyber attack less than two weeks before it sank into administration, a report into the firm’s collapse has revealed. The loss-making firm, which was trying to strike new funding agreements in the days before administration, was also hit by a massive cyber attack on 24 February, 12 days before the administrator was formally appointed on 8 March.

The administrator’s report said the attack “infected its servers and encrypted its data. This reduced the company’s operating capability and would have required significant cost to remedy. It also restricted the information that could be provided to third parties as part of funding negotiations.”

Later, JRL bought Caledonian Modular out of administration and saves the jobs of 200 former workers.

Victim: JRL Modular – formerly Caledonian Modular

In 2022 Caledonian Modular, UK's largest modular housebuilders has been bought out of administration by concrete frame specialist JRL. The JRL Group offers integrated construction solutions and operates more than 14 divisions.

Reference: Caledonian hit by crippling cyber attack just days before it sank into administration
Reference: The Cybercriminal Ecosystem: Evolution and Extortion
Incident: Hackers Paralyze only Newsprinting Facility in Switzerland

The machines at the Perlen paper factory in the Lucerne town of the same name are at a standstill due to a hacker attack. Newsprint and LWC production at Perlen and packaging production in Müllheim, Germany, which has been down since 7 January, restarted 6 days later on January 13. The chemistry division was not affected and was therefore able to continue production normally.

The factory normally outputs 1400 tons of newsprint paper per day. In a statement, the CPH Group said all IT systems were shut down on the 7th out of an abundance of caution and to contain any spread, strongly suggesting but not confirming they were a ransomware victim. They resumed production in January 13, after 6 days of downtime.

Reference: Ad hoc announcement pursuant to Art. 53 LR Cyber attack on IT systems of the CPH Group
Reference: CPH to restart operations in Perlen and Müllheim tomorrow
Victim: CPH Chemie Papier Holding AG

CPH Chemie Papier Holding AG is a Switzerland-based company that develops, produces and distributes chemicals, papers and packaging films.

Incident: Israel Water Monitoring Systems in Cyber Attack

Several water monitors – which oversee irrigation systems and wastewater treatment systems – were not operational this past Sunday after a cyber attack targeted the systems.
Specifically, water controllers for irrigating fields in Israel’s Jordan Valley suffered damage along with control systems for the Galil Sewage Corporation.
Workers for the two systems worked throughout the day to get the systems back up and running. The source of the cyberattack, however, is unknown, according to a report in the Jerusalem Post.

Reference: Cyber Attack Affects Water Monitoring Systems
Reference: Cyber attack shutters Galilee farm water controllers
Victim: Irrigation controls on Farms in Northern Israel.

Farmers in the region were warned several days prior about suspicions over a planned cyber attack, according to the report. Some of them, as a result of the warning, disconnected the remote control option for their irrigation systems and switched them to manual operation, instead, to prevent any harm from the attack. Indeed, those who left their systems on remote control were the ones impacted by the attack.
The National Cyber Organization warned the previous week about the increase in attempts at cyber attacks by anti-Israeli hackers throughout the month of Ramadan. Indeed, Israeli media agencies, medical websites, government websites and university websites all faced massive cyber attacks throughout the past week, including throughout the Passover holiday.

Incident: Ransomware Attack at NCR

NCR is suffering an outage on its Aloha point of sale (PoS) platform after being hit by an ransomware attack claimed by the BlackCat/ALPHV gang.
NCR provides digital banking, PoS point of sale system, and payment processing solutions for restaurants, businesses, and retailers
On Friday, NCR released a statement saying: “On April 13, NCR determined that a single data center outage that is impacting some functionality for a subset of its commerce customers was caused by a cyber ransomware incident. Upon such determination, NCR immediately started contacting customers, enacted its cybersecurity protocol and engaged outside experts to contain the incident and begin the recovery process. The investigation into the incident includes NCR experts, external forensic cybersecurity experts and federal law enforcement.

Reference: NCR suffers Aloha POS outage after BlackCat ransomware attack
Reference: NCR Hit in Ransomware Attack
Victim: NCR

NCR provides digital banking, PoS point of sale system, and payment processing solutions for restaurants, businesses, and retailers.

Incident: Ransomware Attack at Major Tesla Competitor, NIO

Chinese electric vehicle manufacturer Nio revealed a major data breach. The hack exposed certain confidential customer and vehicle sales-related information before August 2021. It is believed the hackers demanded $2.25 million worth of Bitcoin in exchange for not leaking their internal data.

Victim: NIO

Chinese electric car maker - greatest Tesla rival

Reference: Chinese Tesla Rival Falls Victim to Bitcoin Ransomware Attack
Incident: A Year After Devastating Ransomware Attack, Electric Utility Company NV GEBE is Still Recovering

On March 12, 2022 NV GEBE, its customers, and the entire St. Maarten community faced a devastating ransomware attack. As a result of the hack, the entire customer database, financial data and other business data was encrypted. GEBE closed its doors temporarily on March 17.

A year later it is reported that NV GEBE has been steadily rebuilding its customer databases and billing systems. These processes have required more time than initially anticipated because of the complexity and intricate attention to detail required.

Victim: N.V. GEBE

Electric utility company in Philipsburg, Sint Maarten

Reference: NV GEBE files case against investigators of cyber-attack
Reference: Lack of Management Facilitated Cyberattack on GEBE
Reference: GEBE made it easy for hackers, no audit and proper cyber security measures were not in place.
Reference: NV GEBE Reflects on the 2022 Cyber-Attack with Renewed Commitment to Security and Resilience
Incident: Ransomware Attack Erases Ambulance Appointments for Next Few Weeks

The Trois Cantons ambulances in Peyrehorade were the victims of a ransomware attack. They have lost all their files and appointments for the next few weeks. It is not known which patients were scheduled, or at what times. Telephone numbers are also lost. Patients are invited to call the Three Cantons ambulances as soon as possible on 05 58 73 00 63. The ambulances operated on Wednesday, December 7 "pencil and paper".

Victim: Landes Ambulances

Small organization of Ambulances covering the area of the Three Cantons in Peyrehorade, in the south of the Landes, France.

Reference: Landes: victim of a cyberattack, an ambulance company appeals to its patients
Incident: Production Outage after Massive Ransomware Attack at Italian Fruttagel

Fruttagel, an Agricultural Cooperative Company from Ravenna, suffered an external computer attack. The attack partially and temporarily compromised the company information systems. "The company - reads the note - promptly activated all the emergency procedures, resorting to the expertise of the personnel and cybersecurity experts. However, it was not possible to avoid huge production damages, with the consequent temporary impossibility to send the its products to all customers. The IT system check and recovery times will take a few days, with the hope of being able to restart shipping activities on Thursday 15 December".

"What happened, despite our prompt reaction, is making it impossible to carry out all the production activities and to follow up with the shipment of the packaged products, with considerable damage for the company and obviously for our customers" – says Stanislao Fabbrino, managing director of Fruttagel -.

On January 7, BlackCat/ALPHV published more than 720 gigabytes of corporate data, listing it includes financial and corporate documents, customer data, contracts with companies like IKEA, PepsiCO, etc. SGS certificates, private date, GDPR files, employee contacts, management, large customer base with global companies. Drawings of the company’s products.

Reference: Fruttagel Italian ransomware attack claimed by BlackCat cybergang
Reference: BlackCat/ALPHV Ransomware Victim: Fruttagel
Victim: Fruttagel

Fruttagel is an Italian agricultural cooperative company that produces and distributes finished and semi-finished fresh fruit and vegetables.

Reference: Fruttagel suffered a cyber attack. “Massive damage to the company”
Incident: Italian Oven Manufacturer Suspends Production after Cyberattack

UNOX was the victim of a cyber attack. The company immediately activated its security protocols, blocking the attack. As a safety measure, the company initially suspended production activities for 2 days as a precaution in order to carry out the appropriate checks. Since Wednesday 14 December all production activities have restarted in total safety. There is no risk relating to short, medium and long-term business continuity.

Victim: Unox Ovens

Unox is the leading Italian manufacturer of professional ovens.

Reference: Hackers attack Unox, suspended activities for two days: “No data loss”
Incident: Cyberattack at Technolit GmbH, Employees sent Home

The company Technolit from Grossenlüder is affected by a cyber attack. The company can currently only be reached by telephone at the head office. Most of the employees were sent home because they are currently unable to work. The company's entire IT department was affected by the attack.

Managing Director Stephan Günther explains the current situation: "We have become the victim of a cyber attack." The company is currently in contact with the responsible authorities. Further information could not yet be released.

Victim: Technolit GmbH

Technolit GmbH is a trading company founded in 1979 and based in Grossenlüder, Germany. It includes the areas of welding technology, chemical-technical products, grinding and cutting technology, tools and machines as well as workshop supplies for trade and motor vehicles.

Reference: Cyber ​​attack against Technolit – operations paralyzed – ZIT determined
Incident: Bl00dy ransomware Gang Targets Italian Steel Manufacturing Group Lucchini RS

The cybergang Bl00dy ransomware claims a cyber attack against the Italian Lucchini Group. The gang reported this within its Telegram channels. No official statement from the company has been published.

Threat Actor: Bl00dy ‘bloody’ Ransomware Gang

The Bl00dy 'bloody' cybergang was identified in September 2022 and has been defined as a "son of Lockbit", which used the builder released by the famous criminal gang to be able to create its own strain of malware that encrypted files with the extension . bl00dy.

However, according to the experts, the group is evolving continuously from one malware to another for two reasons: so they can avoid detection and also they have all the benefits of the functions of the various malware at their fingertips.

Victim: Lucchini RS SpA

Lucchini RS SpA (formerly Lucchini Sidermeccanica SpA specializes in the production of rolling stock for trains, trams and metros (wheels, rims and railway axles and complete wheelsets). It is also active in the production of forgings, castings, tool steels and forging ingots.

The company's headquarters are in Brescia, but the production plant is in Lovere (Bergamo) where the entire steel production process is present: steelworks, forging, foundry, running mechanics and heavy mechanics.

An Italian company, owned by the Lucchini family (through the Sinpar SpA holding) and separated in July 2007 from the rest of the Lucchini Group, which remained the property of the Russian Severstal group.

Reference: Bl00dy ransomware targets the Italian Lucchini Group
Reference: Cyber ​​attack that EPM suffered this week occurred from the Ituango Power Plant
Incident: Black Basta Hacks Systems of Engineering Firm that Designs Hundreds of US Power Stations.

Sargent & Lundy, a Chicago-based construction and engineering firm fell victim to a Black Basta ransomware attack. The hack exposed information of over 6,900 individuals belonging to multiple electric utility companies. The organization works as a US government contractor handling critical infrastructure projects across the country.

The firm also handles nuclear security issues, working alongside the departments of Defense, Energy, and other agencies. Federal officials closely monitored the potential broader impact on the US power sector, though it is being reported that no other power-sector firms were involved.

Victim: Sargent & Lundy

Engineering firm Sargent & Lundy LLC specializes in professional services for electric power and energy intensive clients. The Company offers nuclear power, power delivery, and consulting services. Sargent & Lundy serves customers throughout the United States.

Reference: Black Basta ransomware allegedly struck an engineering firm
Reference: Black Basta stole data from numerous US electric utilities
Reference: EPM Falls Victim To Ransomware Attack
Reference: Royal Ransomware Victim: Mol
Incident: Cyberattack at Vehicle Wheel Manufacturer in Brazil

Brazilian automobile components manufacturer Iochpe-Maxion announced that it had suffered a cyberattack on December 5 in its IT environment. The attack resulted in the unavailability of part of its systems and operations in some units in Brazil and abroad.

The company explained in a statement sent to the Brazilian Securities Commission that it had activated its security protocols to contain the cyberattack and isolated some of its systems to protect the environment. The company confirmed that, together with its specialized advisors, it was acting diligently and making every effort to identify the causes of the incident, determine its extent and mitigate its effects.

Reference: Iochpe Maxion S A : 12/06/2022 Material Fact -Cyberattack
Victim: Iochpe-Maxion

Iochpe-Maxion, Brazilian wheel and automotive component manufacturer with locations in Brazil and abroad.

Incident: Cyberattack at Czech Institute of Nuclear Research Did Not Threaten Reactor Operations

The Institute of Nuclear Research Řež was attacked by a hacker group. It only attacked economic systems, which caused, for example, a delay in sending wages. The technological systems remained intact, the operation of the reactors was not threatened by the attack.

Hackers penetrated the institute's internal system using the Ransomware program, which blocks the computer system and encrypts the data stored in it. It demands a ransom from the user for data recovery.

Reference: Institute of Nuclear Research in Řež attacked by hackers, no sensitive data leaked
Victim: Řež Institute of Nuclear Research

The Řež Institute of Nuclear Research, in the Czech Republic, is primarily concerned with the safe and efficient operation of energy sources, especially nuclear ones. It also focuses on the development, production and distribution of radiopharmaceuticals in the field of nuclear medicine.

Reference: Hackers attacked the Institute of Nuclear Research Rez
Reference: Rackspace: Customer email data accessed in ransomware attack
Reference: Rackspace confirms Play ransomware was behind recent cyberattack
Reference: Rackspace confirms ransomware attack after Exchange outages
Reference: Rackspace ‘security incident’ causes Exchange Server outages
Reference: Press Release: Cybercrime
Incident: Cyberattack at SPTrans System in Sao Paulo Exposes Data of 13 Million Riders

On December 15, 2022, SPTrans became aware that its systems had experienced a cyber-attack resulting in the leak of personal
data of 13 million users of Bilhete Único, the public transportation card of the city of São Paulo. The Bilhete Único cards remain active and the respective balances are preserved , with no losses in the credits used in the transport service.

The exposed data is from the month of April 2020 and include social name, birth date, Individual Taxpayer Registration (CPF), national ID card, address, phone number, email, student’s enrollment, among others. The Cyber Crimes Division (DCCIBER) of the Criminal Investigations Department (DEIC) of the São Paulo State Civil Police has been notified among others, so that a criminal investigation can be initiated to verify the authorship and origin of the leak.

Victim: SPTrans system, Sao Paulo, BR

The SPTrans system, the company responsible for managing public transport in the city of São Paulo, Brazil.

Reference: SPTrans cyberattack results in data leak of 13 million users of Bilhete Único
Reference: Hacker invades SPTrans system and 13 million Bilhete Único users have data exposed
Incident: Central Ohio Transit Authority (COTA) Offline after Cyberattack

A cyber hack forced the Central Ohio Transit Authority (COTA) to shut down its computer network. Officials shut down its network, removed it from the internet and hired Surefire Cyber to collect and analyze data and logs from 590 COTA operating systems. COTA continued operating all transit services during the IT network outage. For weeks, riders didn't have Wi-Fi access and buses couldn't track real-time transit information or plan trips. All operations have since returned to normal.

There is no indication that "personally identifiable information was accessed" and that "there are no active, ongoing cyber-security threats within our systems," said Sophia Mohr, COTA's chief innovation and technical officer.

Reference: COTA buses still don’t have Wi-Fi, riders can’t track real-time info following December hack
Reference: COTA’s data breach investigation is complete. Was sensitive information compromised?
Incident: Operations of ÖBB, Austrian Federal Railways, Disrupted by Cyberattack.

The ÖBB confirms that it is not a technical fault but a DDoS attack. There have been massive problems at ÖBB since Friday morning . The website is very slow or not accessible at all. According to user complaints, online ticket purchase is not possible at all, or the purchase price is debited several times. ÖBB writes on Twitter that there is a technical problem and the solution is being worked on. The cause of the problem was not mentioned.

ÖBB has now confirmed to futurezone that it was a DDoS attack. Accordingly, all online services of ÖBB were affected. According to ÖBB, the problem was fixed at 12:30 p.m. If you visit the ÖBB website, it is still sometimes not available (as of 2:22 p.m.). It will probably take some time for the situation to normalize.

Victim: ÖBB-Infrastruktur AG

Austrian Federal Railways. As a mobility and logistics service provider, Austrian ÖBB transported a total of 323 million passengers and over 94 million tons of goods to their destinations in 2021. ÖBB invests more than three billion euros per year in rail infrastructure. 42,000 Employees in bus and rail, and 2,000 apprentices ensure that up to 1.3 million passengers and around 1,300 freight trains arrive safely at their destinations every day.

Reference: DDoS attack: ÖBB website and ticket sales disrupted
Incident: Production Disrupted at Belgian Truckbuilder Mol after Cyberattack.

Mol Cy, the company in Belgium that builds trucks, trailers and soon also armored vehicles, was hit by a ransomware attack. A week later, the company is still rebuilding the network. According to the CEO, production was not compromised. “Supplies had just taken place and orders were in progress. Our production was of course disrupted, but in the end it did not come to a standstill. It was a bit more difficult to work at a number of workstations where computers provide information. But our staff managed to make do.” In recent days, about 50 employees have been at home for a while. “Especially our administrative staff cannot do their work without a PC and network. Unfortunately, they were temporarily unemployed.”

Victim: Mol cy

Mol cy builds trucks, trailers and soon also armored vehicles, and employs around 500 people. Founded in 1944. Located in Hooglede, Belgium.

Reference: “Suddenly all printers printed the same message”: hackers demand a ransom from a company that builds vehicles for the Belgian army
Incident: Business Operations Continue Manually After Cyberattack at Textile Logistics Company

On December 6th there was a successful cyber attack on the systems of the well-known textile logistics company Meyer & Meyer. The company can still be reached, but various processes had to be converted to manual work. The extent of the damage caused by the cyber attack is currently being checked and the system has started to be restored. "We reacted quickly and decisively to the targeted attack," says Björn Plantholt, who is responsible for corporate communications at Meyer & Meyer. The company was able to maintain part of the business operations after the cyber attack, despite the systems being shut down, by switching to manual processes.

Victim: Meyer & Meyer

Osnabrück based, textile logistics company Meyer & Meyer has 1.800 employees and a turnover of 200 million. The company Meyer & Meyer is a service provider that focuses on the entire value chain of the textile industry. In this way, fashion companies are supported along all services in this value chain. The company calls this principle “From Sheep to Shop”.

Reference: Cyber attack on logistics company
Incident: Daixin Threatens To Publish Network Vulnerabilities After AirAsia Does Not Pay

AirAsia has apparently fallen victim to a major ransomware attack by the Daixin Team gang. More than five million records, alleged to be from customers and staff, were exposed online. The claim has not been verified or confirmed by AirAsia. The attack was first reported on Twitter by security researchers with screenshots taken from the darkweb.

The group shared a sample of the data with AirAsia after encrypting its database and demanded an undisclosed fee to unlock it. Daixin Team said they avoided locking up critical files related to flying equipment. They did lock out access to staff and passenger records until payment is made.

Daixin Team say it plans to publish details on the AirAsia network as AirAsia did not plan to pay the ransom. Providing access to and details of flaws in the network on open hacker forums would potentially leave it open for more malicious groups. The group claimed full responsibility for any future negative consequences caused from their actions.

Reference: Daixin Team claims AirAsia ransomware attack with five million customer records leaked
Victim: AirAsia

AirAsia is the largest airline in Malaysia, it has some 22,000 employees from 60 nationalities and is based out of Kuala Lumpur where it operates both domestically and to more than 165 destinations worldwide.

Incident: Cyberattack Forces French Hospital to Cancel Operations

Hospital Centre of Versailles, near Paris, canceled operations and transfer some patients due to a cyber attack suffered over the weekend.

The computers at the hospital were infected with ransomware, threat actors demanded a ransom.
“A ransom, the amount of which I do not know, has been requested but we do not intend to pay it,” assured Delepierre, who is also mayor of Chesnay-Rocquencourt. Health Minister Francois Braun told AFP that six patients had been transferred from the beginning of the attack evening, three in intensive care and three from the neonatal unit.

The hospital is still facing problems and we cannot exclude that other patients will be transferred in other structures. “While the machines were still functioning in the intensive care unit, more people were needed to watch the screens as they were no longer working as part of a network, Braun said.” reported AFP.

In France, the law prohibits public establishments to pay ransoms.

Victim: Hospital Centre of Versailles

Hospital Centre of Versailles, near Paris, includes Andre-Mignot Hospital, Richaud Hospital and the Despagne Retirement Home.

Reference: French hospital cancels operations after a ransomware attack
Incident: Maritime Tech Giant Voyager Worldwide Takes Systems Offline

Singapore-based maritime technology solutions provider Voyager Worldwide was reported to have been hit by a cyber attack at the beginning of December. From December 2nd all systems were taken offline at the navigation services and solutions provider. The company has more than 1,000 shipping companies as customers around the world.

“As this is an ongoing investigation, and our priority is keeping the impact of the incident contained, the time frame for recovery could shift,” Voyager stated on its site.

Reference: Voyager Worldwide reportedly hit by cyber attack
Reference: Shipmanagement software vendors targeted by hackers
Victim: Voyager Worldwide

Voyager Worldwide is a leading maritime technology company. We provide navigation and maritime information solutions for shipping and adjacent industries.

Incident: Databreach at Montreal Car-Sharing Service Communauto

Communauto, the Montreal-based car-sharing service, confirmed on Friday that its computer systems were hit with a cyber attack. The attack compromised the personal information of some of its clients, including member numbers, names as well as email and civic addresses. The cyber hackers couldn’t get their hands on user passwords and credit card numbers.

In a letter sent to subscribers, the president and CEO of Communauto, Benoît Robert, explains that the company managed to obtain “reasonable assurance that the data to which [les cyberpirates] could have had access ”were destroyed. This attack “paralyzed many of our activities and explains some delays in the management of accounts payable and invoicing”, he indicated. The investigation is continuing to determine more precisely what data was stolen.

Reference: Communauto hit by cyber attack
Reference: Communauto victim of a cyberattack
Incident: Large Australia Energy Provider Hit by a “Cyber Incident” Impacting Small Percentage of Customers

One of Australia's largest energy providers has been hit by a "cyber incident" as a wave of data breaches impact big companies across the nation. AGL reported "elevated levels of suspicious activity" on its "My Account" platform on December 1. 9News understood a small percentage of customers - about 6000 - have been impacted. "Based on current analysis it appears malicious actors have used stolen credentials acquired externally (such as usernames and passwords used elsewhere by customers) to log into a number of customer accounts,"

Victim: AGL

AGL is one of Australia's largest energy providers.

Reference: Energy company AGL reports cyber incident
Reference: AGL hit by ‘cyber incident’ causing customer account lockdown
Incident: Cyberattack at Eesti Energia, Estonia

The website and online channels of state electricity generator Eesti Energia and some of its related companies are offline following a large-scale denial of service attack thought to have been conducted by pro-Kremlin hackers. The attack has affected Eesti Energia's site and mobile app, and also grid maintenance firm Elektrilevi's website, and its MARU mobile app, ERR reports.

At a little before 10.15 a.m. Saturday morning the State Information System Authority (RIA) discovered that the online services of five Estonian companies had started malfunctioning, including those of Eesti Energia. "Due to these attacks, in addition to the Eesti Energia's site, websites included those of Elektrilevi and [Eesti Energia subsidiary] Enefit Green." The incidents coincided with similar and simultaneous attacks on key sites in Latvia, Poland and Ukraine.

Victim: Eesti Energia

Eesti Energia is the state electricity generator in Tallin, Estonia

Reference: Eesti Energia website down after pro-Kremlin cyberattack
Incident: Bitcoin ATM Manufacturer Suffers Attack

General Bytes, a manufacturer of Bitcoin ATMs, disclosed a security incident that resulted in the theft of millions of dollars’ worth of funds. Attackers were able to steal cryptocurrency from the company and its customers using a Zero Day in its BATM management platform.
In terms of the March 17-18 incident, here is what General Bytes said what happened:
The attacker identified a security vulnerability in the master service interface used by Bitcoin ATMs to upload videos to server.
The attacker scanned the Digital Ocean cloud hosting IP address space and identified running Crypto Application Server (CAS) services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider).
Using this security vulnerability, attacker uploaded his own application directly to application server used by admin interface. Application server was by default configured to start applications in its deployment folder.

Reference: Bitcoin ATM Maker Reimbursing Attack Victims
Victim: General Bytes

General Bytes makes Bitcoin ATMs allowing people to purchase or sell over 40 cryptocurrencies. Customers can deploy their ATMs using standalone management servers or General Bytes cloud service. The company has machines in over 120 countries.

Reference: Communauto is asking the boroughs for help to meet demand in Montreal
Reference: Cyber ​​attack: pipeline builder Friedrich Vorwerk fell victim to ransomware
Reference: Medibank says hacker accessed data of 9.7 million customers, refuses to pay ransom
Incident: IT Systems of Hydraulic Office of Corsica Attacked by Ransomware

The Hydraulic Office of Corsica was hacked on the night of November 2 to 3. The agents were faced with 33 completely blocked computer systems. They immediately took them offline after the malfunctions were noted. A ransom, the amount of which has not been disclosed, has been demanded.

Two weeks after the event the company published a press release. They needed time to analyze and evaluate the damage on IT infrastructures,. And needed the time to assess the damage before deciding what to do. The company stated that essential activities are carried out normally, and "those relating to customer management will quickly be back to normal" . The problem remains mainly with the accounting and financial management of the organization. A large part of the historical data has been encrypted, "making this data inaccessible at this moment" .

Reference: Cyberattack: The OEHC refuses to negotiate, and promises a return to normal as soon as possible
Reference: The computer system of the Hydraulic Office of Corsica blocked by a cyberattack
Victim: OEHC – Hydraulic Office of Corsica

Hydraulic Office of Corsica

Incident: Ransomware Attack Encrypts Systems at German Medical Device Manufacturer Richard Wolf

The medtech company Richard Wolf was the victim of a cyberattack in early November. After almost 3 weeks, almost all restrictions on phones and email accounts have been resolved. By the end of November, all restrictions in the IT of logistics should also be removed. The company is receiving support from an external IT forensic expert to accompany the security process. The cybercriminals were able to infiltrate using sophisticated malware.

Richard Wolf had prepared for precisely this scenario in recent years by taking technical and organizational precautions, employing specialist personnel, conducting internal training and consulting externally. Thanks to the safeguards, systems with data were largely protected, but they were encrypted in order to use them to extort money from the company. The company did not respond to the ransom demand.

Reference: After cyber attack: Richard Wolf available again
Reference: Cyber attack on Richard Wolf GmbH: Restrictions on communication have been largely reduced, logistics gradually return to normal operations
Victim: Richard Wolf GmbH

Richard Wolf is a full-range supplier of endoscopic products in Germany

Incident: 55 Counties in Arkansas Offline or Temporarily Closed by Cyberattack

A cyber-attack is causing county offices across the state of Arkansas to go offline or temporarily close. The breach happened the Saturday before the election. There's 55 counties in Arkansas that were impacted by this ransomware attack. Each affected county is using the company Apprentice Information Systems for its online servers.

In Miller County, the county treasure, the county clerk and the county judges offices, are all having their computers swiped clean, and having the system re-loaded. County Treasure Teresa Reed says the firewall protected their system, but all the work stations were compromised. Right now, her office is handwriting everything.

At this time (18 November), county officials do not have a timeframe for when their computers will be back online.

Reference: Russians said to be behind hack that hamstrung Lonoke County operations
Victim: Arkansas Government

Arkansas Government, USA

Reference: Cyber-attack affects several northern Arkansas county offices
Reference: Miller County offices impacted by cyber attack
Incident: Ransomware Attack Paralyzes Vanuatu’s Government Ministries and Departments

The Office of the Vanuatu Government Chief Information Officer (OGCIO) has confirmed the Government’s Broadband Network has been compromised since Sunday, November 6, 2022. As a result all the online services such as email, network shares, VoIP services and other government online services offered by the government are currently down. This has paralysed all government ministries and department causing widespread delays throughout the country.

The cyber attackers demanded a ransom after the network was initially crippled last week, but Vanuatu’s government has refused to pay. The identity of the hackers and the value of the ransom has not been released. The Australian Cybersecurity Centre in the Australian Signals Directorate is assisting Vanuatu’s government in rebuilding the system, according to foreign affairs and security officials familiar with the situation. Vanuatu’s government has now been without effective access to its internal systems for more than a week as engineers attempt to rebuild the entire system from scratch.

Victim: Vanuatu Government

Vanuatu Government

Reference: Ransom attack cripples Vanuatu government systems, forces staff to use pen and paper
Reference: Vanuatu Govt network paralysed by cyber attack
Incident: Over 800 Greece Government Services Targeted in Unprecedented Cyberattack

More than 800 services of Greece’s and TAXISnet, as well as medical prescriptions, were frozen by an unprecedented DDoS attack. The cyberattack reportedly came from the Netherlands and attempted to temporarily take down or even completely stop the operation of approximately 800 Government websites. Among the problems caused, was to disabling electronic prescriptions. Doctors on call could only issue handwritten prescriptions on the weekend, on-call pharmacies could not fill emergency prescriptions, nor could hospital doctors prescribe to patients in emergency rooms.

As of Sunday afternoon (2 days later) about 600 websites had been “cleaned up” and were allowed access again after initializing settings.

Victim: Greece Government

Greece Government

Reference: 800 Services of Greece’s Taken Down By Hackers
Incident: French Oncology Hospital Suspends Treatments for 4 Days after Ransomware Attack

Saint-Jean Oncology and Radiotherapy Center was the victim of a ransomware-type cyberattack affecting its Saint-Doulchard and Moulins sites. This paralyzed its information system. It affected all data, in particular patient files (administrative data, medical and technical data).

The Center was forced to suspend its chemotherapy and radiotherapy activities from November 15 to 18, 202 . For these services access to the computerized patient file is essential (ballistics, assays, reports, etc.).

Victim: Saint-Jean Oncology and Radiotherapy Center

Saint-Jean Oncology and Radiotherapy Center is located in Saint-Doulchard, France

Reference: Cyberattack Center Saint-Jean
Incident: Cyberattack Shuts Down Operations at Precision Casting Foundry, Europea Microfusioni Aerospaziali

Europea Microfusioni Aerospaziali S.p.A, leader in aerospace investment casting, has been hacked on November 17 and was forced to stop the production lines. ITV News reported on 23 November that a team of 40 technicians is employed in the Altirpini plants, including experts sent by Rolls Royce and cyber security professionals. The team is working tirelessly to restore the servers. Telephone lines are also down at the moment. The partial opening of some production departments continue with respect to the standards disseminated by Rolls Royce. The English multinational confirms the cyber attack and the demanding restoration work, and an update of the conditions in the shortest possible time.

Reference: Europea Microfusioni Aerospaziali Spa under cyber attack, 40 technicians working to restore the servers
Victim: Europea Microfusioni Aerospaziali S.p.A

Europea Microfusioni Aerospaziali S.p.A. is a high-precision foundry specializing in the production of rotor and stator blades for turbogas of major aircraft thrusters and for power generation.

Incident: Cyberattack hits Communauto Operations Already Struggling with Frustrated Customers

Canadian car sharing company Communauto continues to have difficulties in its operation. On Monday, a cyberattack prevented users from starting or ending a ride with self-service Flex vehicles. The problem was resolved in the evening.

Communcar's users were already struggling to reserve a car, despite their subscription, due to lack of availability. Pushing some users to want to cancel their subscription. The shortage of new cars is linked to supply difficulties affecting certain components, Communauto ensures that it is looking for other solutions to acquire new vehicles.

Victim: Communauto

Communauto is a Canadian car-sharing company based in Montreal, Quebec, Canada, that operates in fifteen Canadian cities and Paris, France.

Incident: Outage at Leading Public Medical Institute in India affects Hundreds of Patients and Doctors

India’s leading public medical institute, All India Institute of Medical Services, or AIIMS, is experiencing outages following a cyberattack.

AIIMS officials told TechCrunch that patient care services have been badly impacted since early Wednesday. The medical institute moved to manual operations, including writing patient notes by hand, as the server recording patient data stopped working. The outages have resulted in long queues and errors in handling emergency cases and continued till Thursday.
Details of whether the attackers could access any patient data have yet to be publicly announced.

UPDATE [03Jul23]: Former cybersecurity chief says the ransomware attack on AIIMS prompted government to make cyber response framework. “A lot of lessons have come out from the incident from a government point of view, and these will, hopefully be implemented.” As reported by Hindustan Times.

Victim: AIIMS – All India Institute of Medical Services

India’s leading public medical institute: All India Institute of Medical Services (AIIMS)

Reference: India’s AIIMS hit by outages after cyberattack
Incident: Ransomware Attack at German Gas Pipeline Builder, Friedrich Vorwerk, Impacted Profitability

Friedrich Vorwerk, a group of companies that builds gas pipelines and thus critical infrastructure (Kritis), was the victim of a cyber attack at the end of last year. Ransomware infected large parts of IT and paralyzed it. Since shortly before Christmas last year, the systems could be used productively again, the company said at the request of heise online. "As a result of a cyber attack that was averted at the end of the year, profitability was also impacted and visibility restricted".

"During the approximately 4-week work to repair our IT infrastructure, our ERP system and other parts of the infrastructure were not available. Shortly before Christmas 2022, the main effects were remedied and the systems could be used productively again. "

Incident: Downtime Caused by Cyberattack Final Straw for German Bicycle Manufacturer

On November 25, 2022, Prophete was the victim of a cyber attack. As a result, the attack meant that no production, invoicing or deliveries could take place for around three weeks.

The company stated there were "considerable problems in procurement, which in turn had an impact on sales and turnover. The warehouses are unusually full because the purchasing department has served the target figures. However, due to disrupted supply chains, required parts would not arrive and bicycles could not be fully assembled and delivered."

The company had planned sales of EUR 210 million, but only achieved EUR 159 million. In June last year there was a financing round with shareholders and lenders from Prophete. However, the willingness to inject more money ended with the break-in of cyber criminals.

Victim: Prophete GmbH u. Co. KG

Prophete GmbH u. Co. KG was a German manufacturer for bicycles, e-bikes, scooters, and supply parts that traditionally trade under the Prophete brand name. The company (including the subsidiary company Cycle Union) employ a staff of about 400 people at 4 production sites.

Reference: Prophete and bicycle manufacturer: hackers loosen the wheel
Reference: Bicycle manufacturer: Prophete slipped into bankruptcy after cyber attack
Incident: Production Halted at Meat Processing Factory in Luxembourg

The Cobolux company fell victim to a cyberattack on November 25. As a result the computers were paralyzed and it was no longer possible to label the products. "Our computer scientists worked all weekend and made it possible for us to continue working on Monday morning," explains the general manager "We were able to stop production and deboning of the slaughtered animals," says Faltz, which prevented damage to the meat. Since operations are generally at a standstill on Sundays, there was only a loss of production on Saturday.

Almost three months later, the bills have skyrocketed. "The damage was already over 100,000 euros at the time and is now estimated at between 400,000 and 500,000 euros," says Paul Faltz. "Production failures, the network and the ERP software had to be restored, lost data re-encrypted and investments made in an even more secure IT structure. All of these are the consequences of the attack."

The company supplies meat to butcher shops, supermarkets and restaurants throughout Luxembourg and greater region.

Victim: Cobolux

Cobolux is a meat producer in Luxemburg

Reference: How is Cobolux doing after the cyber attack?
Reference: Cyber ​​attack temporarily paralyzes operations at Cobolux
Reference: Most Infrastructure as a Service Cloud providers hit by ransomware this year
Incident: Ransomware Attack at Columbian Multinational Healthcare Provider Disrupts Operations

The Keralty healthcare organization had its company and subsidiary websites and operations disrupted by a RansomHouse ransomware attack. The Columbian healthcare provider Keralty and its subsidiaries, EPS Sanitas and Colsanitas, suffered disruption to their IT operations, the scheduling of medical appointments and its websites.IT outages have impacted Columbia’s healthcare system, where patients had to wait for over twelve hours to receive care and some fainted due to lack of medical attention.

Keralty is a Colombian healthcare provider and operates in Latin America, Spain, the US, and Asia.

Victim: Keralty Group

Keralty is a Colombian healthcare provider that operates an international network of 12 hospitals and 371 medical centers in Latin America, Spain, the US, and Asia. The group employs 24,000 people and 10,000 medical doctors who provide healthcare to over 6 million patients.

Reference: Cyberattack disrupts Keralty’s operations
Reference: RansomHouse attack disrupts multinational Colombian health provider
Reference: Keralty Ransomware attack disrupts Columbia’s Healthcare System
Incident: Restricted Operations at City of Drensteinfurt, Germany after Cyberattack

From an ongoing police procedure, it was determined on Monday that a possible cybercrime attack on the city of Drensteinfurt was being prepared. This is currently being checked and the Münster police have been called in. To be on the safe side, the entire systems have been shut down.

The city administration will be available again by telephone from Wednesday, November 30th, 2022 during normal business hours. The disruption in the IT system continues and only limited operation without IT support is possible until further notice.

The Rinkerode branch will remain closed. The restrictions will last at least until December 9th, 2022. The systems are currently being checked and gradually put back into operation.

Victim: City of Drensteinfurt , Germany

City of Drensteinfurt , Germany

Reference: Restricted operation of the city administration
Incident: IT Systems Shut Down after Ransomware Attack at Glutz, a Swiss Specialist in Access Solutions

Glutz, a specialist in access solutions, fell victim to a ransomware attack at the end of November. Cyber ​​criminals encrypted data on the systems, as the Solothurn-based company announced at the time. As a security measure, all internal IT systems have been shut down.

"Since December 7th we have been working again in limited normal operation," writes Marco Hauri, CEO, at the request of Telephony and e-mail communication could be used consistently. The costs incurred by the attack cannot be estimated at this time.

Victim: Glutz A.G.

Glutz, based in Switserland, offers security solutions for access to buildings and objects - including access systems, locks or mechanical locking systems. The company is also represented in Austria, Germany and Great Britain.

Reference: Update: Cause of cyber attack on Glutz still unclear
Reference: Cyber ​​incident at Glutz AG
Reference: Update: Läderach data appear on the dark web
Reference: Glutz AG is gradually returning to normal operations after the cyber incident
Victim: Uponor

Uponor Oyj is a global pioneer in intelligent plumbing and climate solutions that move water for buildings and infrastructure with customers in residential and commercial construction, municipalities and utilities, as well as different industries.

Uponor employs about 3,900 professionals in 26 countries in Europe and North America and Uponor’s products are sold in more than 80 countries. In 2021, Uponor's net sales totalled approximately €1.3 billion. Uponor Corporation is based in Finland and listed on Nasdaq Helsinki.

Incident: Operational Shutdown at Uponor, Global Intelligent Plumbing and Climate Solutions provider

On 5 November 2022, Uponor was subject to a ransomware attack, which impacted its operations in Europe and North America.

Uponor announced in its press release on 18 November 2022, the company’s operations are still affected by the ransomware attack that occurred on 5 November. After the attack, the company took immediate actions to investigate and remediate the situation. One of these actions was to shut down all systems and production as a precautionary measure. After one week of production shutdown, operating levels have started to recover, and customer deliveries have restarted in all divisions during the past week. Uponor’s current focus lies on accelerating operational performance back to the operating levels before the attack while protecting the company’s systems.

As the attack happened close to the end of the year, the ability to cover lost sales during 2022 remains uncertain. Therefore, Uponor is withdrawing its guidance for 2022 until there is better visibility on operational ramp up and sales coverage.

Reference: Profit warning: Uponor withdraws its guidance for 2022 following the cyber attack
Reference: Evidence of a data breach resulting from the ransomware attack on Uponor – the company is making progress on operations recovery
Incident: Ransomware Attack at Window and Door Manufacturer, PGT Innovations

Window and door manufacturer PGT Innovations recently disclosed that it "detected a ransomware infection that impacted portions of its network and caused disruption to daily business operations."

"We did recently discover that some of our information technology systems were affected by a security incident, which caused an interruption to our day-to-day business operations for two of our manufacturing locations,” company President and CEO Jeff Jackson says in the emailed statement. The company, in public filings, said it hadn’t found that any personal information had been accessed or acquired.

Reference: Prominent window manufacturer grapples with ransomware attack
Victim: PGT Innovations

PGT Innovations manufactures and supplies premium windows and doors. Based in Florida with $1.16 billion in revenue in 2021.

Reference: Cyberattack on Continental
Incident: Ransomware Attack at Landi Renzo, an Automotive Fuel Supply System Manufacturer in Italy

Landi Renzo SpA was added to Hive’s leak site yesterday. In an email received by the Italian company the threat actors claimed to have infiltrated their network where they remained for 11 days, accessing files and documents before encrypting their servers. Hive claimed to have exfiltrated 534GB of data. The data includes proprietary information of the firm as well as personal information on employees and vendors.

DataBreaches sent an email inquiry to Landi Renzo yesterday, no reply has been received by publication. Hive has seemingly given the firm until November 7 to negotiate or reach some agreement with them.

Reference: Landi Renzo S.p.A. victim of cyberattack by Hive
Victim: Landi Renzo SpA

Landi Renzo SpA is an Italian-headquartered firm that researches and manufactures eco-friendly automotive fuel supply systems.

Incident: Cyberattack at Osaka Hospital Halted Non-Emergency Services

Osaka General Medical Centre issued a statement that the ransomware attack temporarily disrupted the facility’s electronic medical record system. It has stopped providing outpatient care and postponed non-emergency surgeries. The medical centre’s Sumiyoshi Ward is still performing emergency operations.

Hospital staff noticed unusual activity in the hospital’s network in the early hours of October 31. Soon after, they received a message from the threat actors saying: “All files have been encrypted. Please pay in bitcoin for recovery. The amount depends on how quickly you email us.” Staff are working to restore the system and using paper medical records until the incident is resolved.

Reference: Ransomware attack on Osaka General’s network stalls critical surgeries & daily operations
Reference: Were hospital attacks in Osaka linked to a supply chain attack on lunch service by “Phobos?”
Victim: Osaka Hospital

Osaka hospital, operated by the Osaka Prefectural Hospital Organization, currently counts 865 beds and 36 departments.

Reference: Osaka Hospital Halts Services After Ransomware Attack
Incident: All Networks Shut Down after ‘Large Scale Cyberattack’ in Guadaloupe

The French island of Guadeloupe is dealing with the after effects of a cyberattack. "As a security measure, all computer networks have been shut down to protect data and a diagnosis is underway," the French overseas region said in a statement on Monday. "A continuity of services plan has been put in place to ensure public services," the regional authorities said. “At present, we know that the overall management of high schools and public transport services are, for the moment, preserved,” officials said. The statement notes that the government is working with CNIL – France’s data protection authority – as well as France's National Information Systems Security Agency (ANSSI), the National Police and the Gendarmerie.

Victim: Island of Guadeloupe

Guadeloupe is an overseas department and region of France in the Caribbean consisting of six islands with a population of about 385,000.

Reference: French island shuts down all computer networks after cyberattack
Incident: Seville Urban Transportation affected by cyberattack

The urban transport company of Seville (Tussam) has suffered a cyberattack that has disabled both the Tussam mobile application (App) and the information panels at bus stops that warn of the frequency of passage of the different lines.

The Seville Urban Transport Company (TUSSAM) disclosed that both the mobile application and the information panels at bus stops were disabled as a result. Resorting to manual means guaranteed the provision of public service at all times. The operation of the App and the website remained offline.

Reference: Seville Urban Transportation affected by cyberattack
Victim: Seville Urban Transport Company (TUSSAM)

Seville Urban Transport Company (TUSSAM), Spain

Reference: A cyberattack disables the Tussam App and the information panels of the canopies
Incident: Operations Disrupted: Mexico Airport Internet Cables Cut

Passengers missed connections because thieves cut the fiber optic cables leading into the Mexico City airport, forcing immigration authorities to return to using slow paper forms. Authorities said the thieves who mistakenly thought the fiber optic cables were sale-able copper. They stressed it happened outside airport property but, in fact, it was a cable conduit that leads directly into the airport from less than a mile away.

Rogelio Rodriguez Garduño, an aviation expert who teaches aeronautical law at Mexico’s National Autonomous University, said the events reflect a decades long decay in Mexico’s aviation regulation. Mexico, unlike most countries, doesn’t have an independent aviation agency.

Victim: Mexico City Airport

Mexico City Airport

Reference: Mexico’s domestic airline industry in shambles
Reference: Cyberattack causes shutdown at communication, transportation and aviation agencies
Reference: Carriers seek dialogue with the SICT after suspension of procedures for hacking
Reference: Mexican cyber-attack threatens to cripple road freight movements
Incident: Mexico’s Transportation Ministery Halts Commercial Trucking Services for 2 Months

Mexico’s transportation ministry has stopped issuing new permits, license plates and driver’s licenses for commercial truck operators until Dec. 31 because of a cyberattack in late October, creating possible delays for transporters. Permits that expire on these dates will be automatically extended until December 31, the agency added. Officials for Mexico’s trucking industry said SICT’s decision to delay issuing new permits and licenses could hurt the country’s domestic supply chain, as well as cross-border trade with the United States.

“In cross-border transportation services, the American authority has the power to request the driver’s license — not having the registration of the procedure and the current document, supposes a large number of drivers and trucks that would be losing all opportunity to operate,” according to a news release from Mexico’s National Chamber of Freight Transport (CANACAR).

Victim: Secretariat of Infrastructure, Communications and Transportation (SICT)

Secretariat of Infrastructure, Communications and Transportation in Mexico

Reference: Cyberattack disrupts Mexico’s transportation systems
Incident: Sunwing Airlines Network Outage Caused by Cyberattack at Jeppesen, Owned by Boeing.

Sunwing confirmed that its third-party provider, Jeppesen, which offers navigational information, operations planning tools, flight planning products and software, was experiencing technical issues with its products. The glitch caused delays with both northbound and southbound Sunwing flights this week.

Sunwing wasn’t alone – the outage hit “multiple carriers in North America,” the Toronto-based tour operator wrote on its Twitter account on Nov. 2, the day the system failed.

Reference: Cyberattack attack at Boeing Subsidiary Causes Widespread Flight Disruptions
Reference: Cyber attack on Boeing subsidiary behind Sunwing outage
Incident: ALMA Observatory Shutdown Impacts Scientist Worldwide.

The Atacama Large Millimeter Array (ALMA) Observatory in Chile has suspended all astronomical observation operations and taken its public website offline following a cyberattack on Saturday, October 29, 2022. Email services at the observatory are currently limited, and IT specialists are working toward restoring the affected systems.

The observatory is used by scientists of the National Science Foundation, the European Southern Observatory, the National Astronomical Observatory of Japan, and other groups from around the world, so any halt in its operations impacts multiple science teams and ongoing projects.

Victim: ALMA Observatory

Atacama Large Millimeter Array (ALMA) Observatory in Chile. The ALMA observatory is comprised of 66 high-precision radio telescopes of 12 m diameter arranged in two arrays, located at an elevation of 5,000 m (16,400 ft) at the Chajnantor plateau. The project cost $1.4 billion, making it the world’s most expensive ground telescope, and it was developed thanks to a multi-national effort involving the United States, Europe, Canada, Japan, South Korea, Taiwan, and Chile.

Reference: ALMA Observatory shuts down operations due to a cyberattack
Incident: Cyberattack Paralyzes Bulgarian Food Safety Agency Electronic Services

The Bulgarian Food Safety Agency (BFSA) is unable to provide electronic services because the Agency’s website and servers have come under a cyber attack, the BFSA said in a press release on Monday. The attack was detected on August 6, and the BFSA’s full range of functionalities and services are currently inaccessible.

Work is underway to restart the electronic services. The cyber attack does not affect the operation of Bulgarian border checkpoints, the BFSA specified.

Victim: Bulgarian Food Safety Agency (BFSA)

Bulgarian Food Safety Agency (BFSA)

Reference: Cyber Attack Disrupts Bulgarian Food Safety Agency’s e-Services
Reference: Cyber ​​attack disrupts Bulgarian Food Safety Agency’s e-Services
Reference: Cyber Attack Disrupts Bulgarian Food Safety Agency’s e-Services
Incident: Attack on Satellite Firm Viasat Interrupted Wind Power Generation Systems

The first news about the attack on the KA-SAT communication satellite high volume network was posted on February 28. Later it was revealed that the attack occurred on February 24 and targeted Viasat systems, Viasat being one of the largest commercial satellite operators. The company statement revealed that the attack caused a partial outage in their system which affected internet access in Ukraine and other European countries served by the KA-SAT network. The attack had an unexpected side effect – the downtime in the KA-SAT systems resulted in Enecron, a German wind power company, losing remote access to the controls of 5,800 wind turbines producing 11 GW of power.

In the event of a communication breakdown, solar and wind power plants automatically switch to a kind of "autopilot."

Victim: Enecron

Enecron is a German wind power company

Victim: Satellite firm Viasat

Satellite firm Viasat

Reference: Satellite firm Viasat probes suspected cyberattack in Ukraine and elsewhere
Reference: Satellite cyber attack paralyzes 11GW of German wind turbines
Incident: Systems at German Wind Turbine Servicing company Windtechnik Targeted

On April 11 systems of Deutsche Windtechnik, a German wind turbine servicing company, were targeted by a cyberattack. The company was able to reactivate the remote data monitoring connections to the wind turbines after 1-2 days. The system had been switched off for security reasons. "We are very happy that the wind turbines that we look after did not suffer any damage and were never in danger. Deutsche Windtechnik's operational maintenance activities for our clients resumed again on April 14 and are running with only minor restrictions. We were able to assess all IT systems in a secure environment and to identify and isolate the problems." the company stated on their website.

The company disclosed that the attackers used ransomware only after Black Basta added Windtechnik to their victim list, which is posted on their Tor site.

Reference: Cyber attack on Deutsche Windtechnik
Victim: Deutsche Windtechnik

Deutsche Windtechnik, a German wind turbine servicing company.

Incident: Operational Impact After Cyberattack at Tavr Food Processing Group in Russia

On March 24 a cyberattack was conducted on Tavr, a major Russian food processing group in the Rostov region. As per the official company statement, the company business processes, including production, were temporarily paralyzed and a significant economic loss was recorded. A company representative assessed the event as “meticulously planned and significant sabotage”. Currently, the company's activities are carried out in a limited mode.

Reference: TAVR company was hacked
Victim: Tavr corporate group

Tavr is a major Russian food processing group in the Rostov region, a member of the Agrokom group of companies.

Incident: Russia’s Largest Meat Producer Hacked with Bitlocker Ransomware

On March 18 Miratorg Holding, one of Russia’s largest meat producers, was attacked using the Bitlocker ransomware. The attack targeted warehouse and accounting IT resources. It also interrupted the processing pipeline for electronic veterinary documentation. Eighteen companies in the Miratorg group were affected.

The point of compromise was VetIS, a state information system used by veterinary services and companies engaging in the field, making it likely a supply chain compromise. To reduce the impact of the cyberattack, the federal agency will assist Miratorg in transporting goods by temporarily lifting the strict documentation requirements for the movement of products. Moreover, it will accept hand-written certificates and give access to the federal platform (Mercury) to issue formal papers where needed. To ease customer concerns about the safety of the food during these critical times, Rosselkhoznadzor underlines that Miratorg has a track record of good reputation, so this exception is being made by taking that into account.

Rosselkhoznadzor (a government agency regulating agricultural affairs) announced that the group resumed normal operations on March 28. Unlike most ransomware attacks, the attackers did not demand money, so commercial interests were not the motivation for the attack.

Malware: Bitlocker Ransomware

The virus exploits the Windows built-in feature, BitLocker. With BitLocker turned on, the entire disk, including all partitions, will be encrypted without adding extra encryption to a single partition or file.

Infected by BitLocker virus, this malware can create a BitLocker encrypted file that contains a virtual partition (VHD) and move all data into this fake partition, known as VHD Locker Ransomware. What's worse, other than your Windows PC, all external hard drives, USB sticks, and other storage media can all encounter this ransomware.

Reference: Top Russian meat producer hit with Windows BitLocker encryption attack
Victim: Miratorg Agribusiness Holding

Miratorg Agribusiness Holding is one of Russia's largest meat producers

Incident: Hackers Changed Temperature Settings at Frozen Food Facility in Russia

Hackers hacked into the management of the equipment of the Selyatino agricultural hub in the Moscow region and tried to spoil 40 thousand tons of frozen meat and fish. An unknown user nicknamed ‘Supervisor’ penetrated the refrigeration remote monitoring network. Temperature settings were changed from – 24° C to +30°. The security service of the Selyatino agricultural hub prevented the negative consequences of the hacker attack. "At the moment, the operation of the installations has been restored. The equipment is disconnected from the Internet. The parameters are controlled locally, from a computer that is not connected to the Internet,"

Reference: Attacks on a Russian food processing organizations
Victim: Selyatino Agrohub

Seliatino Agrohub is a food processing facility in Russia

Reference: Hackers hacked the equipment of the agricultural hub “Selyatino”
Incident: Russian Electric Vehicle Chargers Hacked on M11 Highway as Political Protest

Russian electric vehicle charging points have been hacked to display messages supporting Ukraine. As a result stations along Russia's M-11 motorway, between Moscow and Saint Petersburg, were deactivated.

According to a Facebook Post by Russian energy company Rosseti, the charging points were hacked by the Ukrainian company that provided some of the parts for them. The company left a backdoor in their systems and used this to set the charging points to display the error messages. It was not reported how many electric vehicle charging points were hacked or deactivated, or for how long they would be unavailable to drivers of EV.

Victim: Russian energy company Rosseti

Russian energy company Rosseti

Reference: Hacked electric car charging stations in Russia display ‘Putin is a d*ckhead’ and ‘glory to Ukraine
Reference: Russian Electric Vehicle Chargers Hacked, Tell Users ‘PUTIN IS A DICKHEAD’
Reference: IHG hack: ‘Vindictive’ couple deleted hotel chain data for fun
Reference: Go North East taken offline as bus company hit by cyber attack
Reference: UK bus giant Go-Ahead battles ongoing cyberattack, reports incident to ICO
Reference: Bus and rail operator Go-Ahead Group confirms “cyber security incident”
Incident: Data Breach at Acer

Computer behemoth, Acer, suffered a data breach in mid-February after attackers were able to get into a server hosting private documents used by repair technicians.
That being said, the Taiwan-based computer firm said so far there are no indications the hack had an impact on stealing customer data.
The company’s confirmation of the breach comes after the attacker began selling on a popular hacking forum what they claim is 160GB of data stolen from Acer in mid-February, according to a report with BleepingComputer. The attacker said the stolen data contains technical manuals, software tools, backend infrastructure details, product model documentation for phones, tablets, and laptops, BIOS images, ROM files, ISO files, and replacement digital product keys (RDPK).

Reference: Acer Hit In Data Breach
Incident: Third-Party Attack Hits Hitachi Energy

Hitachi Energy fell victim to an unauthorized access to employee data in some countries after an attack by the Clop ransomware group that leveraged a Zero Day vulnerability in a third-party software provider, Fortra GoAnywhere MFT (Managed File Transfer), company officials said.
The vulnerability exploited in the attack is CVE-2023-0669, a remote code execution flaw disclosed by Fortra on February 1, after attacks exploiting it were detected. The company issued a patch a week after discovery.

Reference: Hitachi Energy Discloses Third Party Attack
Victim: Hitachi Energy

Hitachi Energy is a global energy solution provider.

Incident: Ferrari Hit in Ransomware Attack

Italian sports car giant, Ferrari S.p.A., reported Monday it suffered a ransomware attack affecting client details, but did not affect operations, officials said in an advisory.
The car company said it had been “recently contacted by a threat actor with a ransom demand related to certain client contact details. Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cybersecurity firm.”
In working with the third-party firm, they were able to confirm the stolen data was legitimate.

Reference: Ferrari Suffers Ransomware Attack
Incident: Cyberattack at Intercontinental Hotel Group (IHG) disrupts Franchisees, Customers and Supply Chains

Leading hospitality company InterContinental Hotels Group says its IT systems have been disrupted after its network was breached. Customers reported widespread problems with booking and check-in. "Booking channels and other applications have been significantly disrupted since yesterday," IHG said in an official notice lodged with the London Stock Exchange.

The attack disrupted business at franchisees during September, leaving a trail of angry customers, lost income and a class-action lawsuit. The hack on the hotel group highlights the potential ripple effects for franchisees, customers and supply chains, reports the WSJ.

The hotel chain giant was also the target of a three-month security breach in 2017—between September 29 to December 29—when more than 1,200 InterContinental franchised hotels in the United States were impacted. An IHG spokesperson denied commenting when contacted by BleepingComputer earlier today, saying that "outside of the statement, we don't have any more that we can say at the moment."

Reference: Cyberattack on InterContinental Hotels Disrupts Business at Franchisees
Victim: IHG – Intercontinental Hotels Group

IHG is a British multinational company that currently operates 6,028 hotels in more than 100 countries and has more than 1,800 in the development pipeline. Its brands include luxury, premium, and essential hotel chains such as InterContinental, Regent, Six Senses, Crowne Plaza, Holiday Inn, and many others.

Reference: InterContinental Hotels Group cyberattack disrupts booking systems
Reference: Holiday Inn bookings tank after suspected ransomware attack: franchisees
Incident: Cyberattack Closes City Hall in Denver Suburb

The demand was big: $5 million to unlock Wheat Ridge’s municipal data and computer systems seized by a shadowy overseas ransomware operation. The response was defiant: We’ll keep our money and fix the mess you made ourselves.

“The city has made the determination not to pay a ransom,” Amanda Harrison, a Wheat Ridge spokeswoman, said this week. It took three weeks from the Aug. 29 cyberattack for Wheat Ridge to determine that it had adequate redundancies and the know-how to put its databases and systems back into operation without the help of the hackers, who demanded payment in a hard-to-trace cryptocurrency known as Monero.

Following the attack, Wheat Ridge had to shut down its phones and email servers to assess the damage the cybercriminals had done to its network. That, in turn, prompted the city to close down City Hall to the public for more than a week.

Victim: Municipality of Wheatridge, Colorado

Municipality of Wheatridge, Colorado

Reference: Denver suburb won’t cough up millions in ransomware attack that closed city hall
Reference: Hive ransomware attacks Damart
Incident: Ransomware Attack at Electric Company of Ghana Left Customers Without Power for Days

Customers of the largest electricity seller in Ghana have been unable to buy power and others have had their power off for days. Hackers have changed the source code and taken control of parts of the Electricity Company of Ghana (ECG) server. The situation is widespread and has left both domestic and commercial customers stranded. It is not known yet how the hacker or hackers got access to the ECG servers.

Mr Charles Nii Ayiku Ayiku, General Manager in charge of external communications at the ECG told Ghana Business News on September 30, that the ECG has stabilized its district offices and they are able to sell power to consumers. The systems for third-party vendors however, he says are still unstable. ECG has extended its working hours to ensure that all customers who have been affected by the situation can buy power.

Ten operational regional areas of the ECG in the Volta, Kumasi, Accra, Takoradi, Tema, Cape Coast, Kasoa, Winneba, Swedru, Koforidua, Nkawkaw, and Tafo were all affected, according to a statement issued by the ECG.

Victim: Electricity Company of Ghana (ECG)

Electricity Company of Ghana (ECG), the largest electricity seller in Ghana.

Reference: ECG audits system – Fears cyber attack
Reference: ECG systems hacked with ransomware
Incident: Ransomware Attack Cripples Bosnia and Herzegovina Parliament

The government of Bosnia and Herzegovina has suffered a significant cyber attack that has crippled the operations of the country’s parliament.

Commenting on the news, Julia O’Toole, CEO of MyCena Security Solutions, said, “According to reports, this has brought the parliament in Bosnia and Herzegovina to a complete standstill. The website for the parliament has been rendered completely inoperable, while MPs have been told not to even turn on their computers. But, the consequences of this attack are far greater than just digital downtime. While these services are down, parliament workers are unable to perform their jobs, which will have a knock-on effect on other services and society. "

Victim: Government of Bosnia and Herzegovina

Government of Bosnia and Herzegovina

Reference: Bosnia and Herzegovina investigating alleged ransomware attack on parliament
Reference: Ransomware attack disrupts Bosnia and Herzegovina Parliament servers, stalls operations for two weeks
Incident: Italian Waste Management Service IT Systems Down after Ransomware Attack (RHC) reported that a second computer attack against Alia Servizi Ambientali SpA was intercepted 6 months after the first. Alia issued a statement on their website stating they temporarily took IT systems offline and reported "from the checks carried out, the company confirms that there have been no intrusions and/or compromise of functions or data."

Reportedly, the €400,000 ransom demanded was not paid. Systems operational 2 days later.

Incident: Ransom Not Paid by Italian Chemical Producer Dollmar SpA

Ragnar Locker, hits the Italian chemical company Dollmar SpA. The hacking group leaked 35GB of data, including samples on the company's letterhead, to make it clear that the data in its possession is real.

Publication on a data leak site generally occurs when the company has not paid the ransom.
no further updates.

Reference: Cyber ​​attack on the Italian Dollmar Spa by Ragnar Locker
Victim: Dollmar SpA

Dollmar S.p.A. has been a European leader in the distribution of industrial chemicals for over 70 years.

Reference: The Italian Alia Servizi Ambientali suffers a new cyber attack
Reference: Full operation of the Call Center and Tari branches restored after the attempt to access the information systems
Victim: Alia Servizi Ambientali SpA

Alia Servizi Ambientali SpA is a large company that deals with the collection of environmental waste in the Florence area and in Tuscany and is active in 59 Tuscan municipalities, 1.5 million customers served and is the fifth Italian company in the sector with 1800 employees and 225 million euros in revenues. The company website states they are a "multi-utility of local public services: environmental, integrated water cycle and energy sectors."

Victim: Unknown hotel

in Israel

Reference: GhostSec Strikes Again in Israel Alleging Water Safety Breach
Incident: Operations Impacted at Swiss Chocolate Manufacturer Läderach

The Swiss chocolatier Läderach became the target of a cyber attack on 5 September. The responsible authorities were informed immediately.

Production, logistics and administration in particular are currently affected by the cyber attack. The use of internal tools and communication channels has been reduced to a minimum as a precautionary measure. "In production, it is still possible to work completely except for a sub-area," the company specifies on request.

UPDATE 10Nov22: The logistics are now also working again and the backlogs in deliveries have already been partially made up. "Since the cash register systems are still impaired, we resort to workarounds (use of cash sales, credit card terminals)," writes Läderach.

Victim: Läderach

Founded in 1962, the family company is headquartered in the canton of Glarus in Switzerland. Läderach monitors the entire production process from the cocoa bean to the shop counter and produces exclusively in Switzerland.

Reference: Laderach affected by cyberattack
Incident: Cyberattack at Major UK Transport Companies Affecting Bus Scheduling Services

UK travel company Go-Ahead Group has confirmed that it is dealing with an ongoing cyberattack reportedly affecting software used to schedule bus drivers and services.

The issues became more widespread on Monday, affecting several back office systems, including bus services and payroll software. Firm says software used to schedule bus services hit but Thameslink rail operations not affected. Go-Ahead said it was working with IBM to activate backup systems to ensure its bus services can keep running.

The cyber-attack does not affect its rail business, which runs on separate systems and is operating normally in the UK and abroad.

Victim: Go-Ahead

Go-Ahead runs Great Northern, Thameslink, Gatwick Express and Southern rail and also operates rail services in Norway and Germany. It runs nearly a quarter of London’s buses as well as bus services in southern and eastern England, and also has bus contracts in Singapore, Sweden and Ireland.

Reference: Major UK transport company Go-Ahead battles cyber-attack
Victim: Yandex Taxi

The largest taxi service in Russia.

Reference: Anonymous hacked Yandex taxi causing a massive traffic jam in Moscow
Incident: Hack at Largest Taxi Service in Russia Caused Chaos in Moscow Traffic

In a bizarre incident, hackers broke into the ride-hailing service provider Yandex Taxi’s software and sent dozens of cars to the same location, resulting in a traffic jam that lasted for three hours. According to cyber experts, the hackers bypassed Yandex’s security and generated several fake requests that directed drivers to simultaneously drive to the same location.

The Twitter page of Anonymous TV claimed that the hacking group Anonymous was behind the data breach. The Anonymous collective is part of a large-scale hacking campaign against Russia, called ‘OpRussia’.

Reference: Hackers send cabs to same location in Russia, creates huge traffic jam
Incident: Ransomware Attack at Dutch Maritime Global Logistics Company

Dutch maritime logistics company Royal Dirkzwager confirmed that it was hit with ransomware from the Play group. The attack is the latest in a string of attacks targeting the shipping industry. Company CEO Joan Blaas told The Record the ransomware attack did not have an effect on operations. The attack involved the theft of data from servers that held a range of contracts and personal information. Blaas confirmed that the Dutch Data Protection Authority has been notified of the attack and said he is in negotiations with the cybercriminals.

Blaas confirmed that the Dutch Data Protection Authority has been notified of the attack and said he is in negotiations with the cybercriminals.

Victim: Royal Dirkzwager

Founded in 1872 in The Netherlands, Royal Dirkzwager provides information to more than 800 organizations in the maritime industry and registers more than 200,000 ship movements a year. Its systems allow ports to know when ships will arrive and what nautical services will be available when they make it to a port.

Reference: Dutch shipping giant Royal Dirkzwager confirms Play ransomware attack
Incident: Major Airlines Affected in Massive Supply Chain Attack at Technology Giant SITA.

SITA, an airline technology and communication provider that operates passenger processing systems for airlines, was the victim of a cyber-attack involving passenger data. SITA serves 90% of the world's airlines and disclosed that among the airlines affected were various major airlines including Air India, Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, Singapore Airlines and Cathay Pacific.

Singapore Airlines reported that 580,000 of its frequent flyer members were compromised in the attack and Air India estimated that personal data relating to 4.5 million of its passengers was stolen.

Reference: Aviation IT Giant SITA Breached in Extensive Supply Chain Attack; Frequent Flier Programs of Major Airlines Compromised
Victim: SITA

SITA is a multinational information technology company providing IT and telecommunication services to the global air transport industry.

Reference: SITA falls victim to cyber-attack
Incident: Russian Federal Air Transport Association Forced to Resort to Manual Operations after Cyberattack

A cyberattack on the Russian Federal Air Transport Agency's (Rosaviatsia) infrastructure allegedly erased all documents, files, aircraft registration data and emails from the servers. The agency lost nearly 65 terabytes of data.

An unidentified group (presumed to be the Anonymous Hacking Group) carried out an extremely effective attack on the Russian Federal Air Transport Agency. As part of the attack, all aircraft registration data and emails, totaling approximately a massive 65 terabytes of data, were deleted from the Agency's servers. The attack was so successful that until back-up copies of the electronic data could be found the Agency was forced to resort to using pen and paper and to sending information in hard copy through the post.

There are reports claiming that the mass loss of data may be irretrievable, and sources claim that due to a lack of government funds, many files at Rosaviatsiya were never backed up.

Reference: Hackers Target Russian Federal Air Transport Agency
Reference: Russia’s air transport agency affected by cyberattacks
Victim: Rosaviatsiya – Russian Federal Air Transport Agency

Russian Federal Air Transport Agency

Incident: Data Breach at Air-Conditioner Manufacturer

On August 4, 2022, Friedrich Air Conditioning, LLC reported a data breach with the Office of the Attorney General of Vermont. The breach resulted in the names and Social Security numbers being compromised.

Victim: Friedrich Air Conditioning

Founded in 1883 and based in San Antonio, Texas, Friedrich Air Conditioning, LLC is a manufacturer of air conditioner units. Friedrich also manufactures air purifiers and dehumidifiers. Employing more than 138 people and approximately $27 million in annual revenue.

Reference: Friedrich Air Conditioning, LLC Announces Data Breach
Incident: Data Breach at Surgical Product Manufacturer in Savannah, Georgia

On August 17, 2022, Brasseler USA (“Brasseler”) reported a data breach with the Montana Department of Justice. An unauthorized party had gained access to the company’s computer network. According to Brasseler, the breach resulted in consumer information being compromised, This included names, social security numbers, driver’s license numbers, passport numbers; financial account information, medical and insurance information.

After confirming the breach and identifying all affected parties, Peter Brasseler Holdings, LLC began sending out data breach letters to all affected parties.

Reference: Brasseler USA Announces Data Breach
Victim: Brasseler USA

Founded in 1976, Brasseler USA is a dental and surgical product manufacturer based in Savannah, Georgia and designs and manufactures a wide range of products. Peter Brasseler Holdings, LLC employs more than 309 people and generates approximately $83 million in annual revenue.

Incident: Data Breach at Agricultural Mineral Powder Manufacturer in Iowa

Calcium Products, Inc. reported a data breach with the office of the Attorney General of Massachusetts after the company experienced a “data security incident." On August 17, 2022, Calcium Products sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. The company did not explain how consumers’ data was compromised or the data types that may have been subject to unauthorized access.

Reference: Calcium Products, Inc. Confirms Recent Data Breach
Victim: Calcium Products

Calcium Products, Inc. is a manufacturing company based in Ames, Iowa. The company specializes in making superfine mineral powders for use in various agriculture applications. Some of the company’s products include pelletized limestone, pelletized gypsum, aglime and professional turf. Calcium Products employs more than 97 people and generates approximately $19 million in annual revenue.

Victim: National Petroleum Company (ENAP), Chile

National Petroleum Company (ENAP), Chile

Reference: Hackers violate ENAP systems and access secret information in an international fraud attempt
Incident: Systems Offline at Brazil’s National Agency for Petroleum

The announcement on websites states systems are unavailable due to an attempted cyberattack that took place last Thursday (4/8). As a security measure, all systems were taken offline to assess the risks to the Agency's cyber security. Among the unavailable systems are the weekly price survey, the Systems for Recording Documents at Dealer Stations (SRD-PR) and at LPG Dealers (SRD-GLP). The Electronic Information System (SEI), among others, were also unavailable.

Victim: ANP – Brazil National Agency for Petroleum, Natural Gas and Biofuels

Part of Ministry of Mines and Energy, Brazil

Reference: Announcement: ANP works to resume its systems
Reference: Announcement: ANP systems are down
Incident: Romanian Gas Stations Affected by Suspected Ransomware Attack.

Rompetrol, a Romanian gas station chain and part of KMG International, has confirmed it was subject to a “complex cyber-attack”. The company suspended operations of its website and its Fill&Go service at its gas stations. Operations at the gas stations remain normal with payment accepted by either cash or card. The company noted that the activity at Petromidia refinery, the largest oil refinery in Europe and operated by Rompetrol, has not been affected.

Romania’s National Cyber Security Directorate (DNSC) had been notified on 7 March by Rompetrol of the complex cyber-attack. As of 9 March, the website remains unreachable.

Victim: Rompetrol

Rompetrol, a Romanian gas station chain and part of KMG International.
Rompetron operates Petromidia refinery, the largest oil refinery in Europe.

Reference: Romanian oil company hit by ‘complex cyber-attack’
Threat Actor: Yanluowang ransomware group

Yanluowang - named after the Chinese and Buddhist mythological figure Yanluo Wang, but leaked chat data in Oct. '22 revealed those involved in the organization spoke in Russian. The leak appears to have shut down the group for the time in Nov '22.

Reference: Cisco discloses a security breach, the Yanluowang ransomware group breached its corporate network in late May and stole internal data.
Incident: Entire System of Global Energy Provider ista International Hacked in Two Days

ista International GmbH announced a cyber attack on its website. All affected IT systems were initially taken offline, resulting in various functions and services being unavailable. The company’s customer portal and email functionality are switched off. ista asks to refrain from contacting them. “We will inform them immediately via our website when the contact options are available again .. you will temporarily be limited or unable to use certain functions and services."

ista describes the company: "..we already have 400,000 gateways in use for our customers that link over 25 million connected devices to each other". Daixin Team states they went through one of those gateways and took control of the entire system in two days.

ista International takes care of about 30 million networked devices in 22 countries in the field of sub-metering.

Victim: ista International GmbH

ista International GmbH provides submetering and billing of water and energy consumption. The Company offers heat allocation, water, and communication meters, installation systems, and smoke detectors. ista International caters their services to property managers, homeowners, and energy utilities worldwide.

Reference: SCOOP: ista International takes systems offline in wake of ransomware attack; Daixin Team claims thousands of servers encrypted
Reference: Cyber attack on ista paralyzes systems
Incident: Global Airline Technology Provider Accelya Hacked by AlphV/Black Cat.

Accelya, a technology provider for many of the world’s largest airlines, said it recently dealt with a ransomware attack impacting some of its systems.

Accelya provides services to Delta, British Airways, JetBlue, United, Virgin Atlantic, American Airlines and many more. The company confirmed Tuesday that company data was posted on a ransomware leak site. The AlphV/Black Cat ransomware group published data it allegedly stole from Accelya last Thursday. The group claimed to have stolen emails, worker contracts and more.

Victim: Accelya

Global technology and service provider to the air transport industry. Headquarered in Spain with over 250 airline customers and operations spread across nine countries, employing over 2,000 professionals worldwide.

Reference: Major airline technology provider Accelya attacked by ransomware group
Incident: Cyberattack at Singapore Specialist Shipbuilder: Sembcorp Marine

Singapore shipbuilder Sembcorp Marine has suffered a cyberattack that left information on employees and operations compromised. It said this cyber attack involved an unauthorised party accessing part of its IT network via third-party software products.

“Based on investigations and impact assessment to-date by the company and its cyber-security experts, the incident and related risks have been effectively addressed,” said Sembcorp. “The company’s business operations remained unaffected throughout.”

Victim: Sembcorp Marine

Singapore specialist ship and offshore rig builder, converter and repairer

Reference: Sembcorp Marine reports cyber incident; moves to address incident and support affected stakeholders
Reference: Sembcorp Marine addresses cyber-security incident
Reference: Sembmarine Reports Cyber Breach Affecting Information on Personnel
Reference: Italy warns of cyberattacks on energy industry after Eni, GSE incidents
Incident: GSE, Italy’s Energy Services Firm, Temporarily Takes Portals Offline

Italy's energy services firm GSE confirmed a hacking attack on its IT systems. GSE stated its gas purchases were not affected. The company added its website and portals were temporarily suspended to secure data.

The BlackCat ransomware group took credit for the attack on GSE, claiming to have stolen more than 700 GB of data from the agency.

Victim: GSE – Gestore dei Servizi Energetici

GSE is responsible for renewable energy in Italy

Reference: Italy’s GSE says gas purchases guaranteed despite cyber attack
Incident: TAP Air Portugal Hit by Ragnar Locker Ransomware Gang

The Ragnar Locker ransomware gang has claimed an attack on the flag carrier of Portugal, TAP Air Portugal. The airline disclosed this after its systems were hit on Thursday night. TAP initially said the attack was blocked. The company said it found no evidence indicating the attackers gained access to customer information stored on impacted servers.

In September the airlines told customers on Thursday that hackers had stolen some of their personal data and published it on the dark web. The state-owed airline said all payment details appeared to be safe.

Victim: TAP Air Portugal

Portugal's flagship air carrier

Reference: Portugal’s TAP says hackers stole, published passengers’ personal data
Reference: Ragnar Locker ransomware claims attack on Portugal’s flag airline
Incident: System Outage at Apex Capital Affects Medium and Small Size Trucking Companies’ Operations

Apex Capital and its subsidiary, TCS Fuel, confirmed that both companies’ systems were targeted in a malware attack. Small-business truckers were unable to log on to the companies’ systems, fuel their trucks or access funds to pay their owner-operators.

“We were infected by malware, and we are continuing to work around the clock to get our systems back online,” Sherry Leigh, chief product and marketing officer at Apex said in an email. “The good news is our core systems and client databases remain intact and we are successfully bringing our processing back online. However, this continues to be a slow process.”

Systems were offline for a week. Leigh declined to comment about what data may have been stolen by the hackers who accessed Apex’s system.

Victim: Apex Capital

Financial services for trucking companies, a "full-service freight factor"meaning they buy their clients' freight bills and offer support services, i.e. fuel cards etc.

Reference: Ransomware target Apex Capital declares systems ‘back up and running’
Reference: Apex Capital blames malware attack for ‘unplanned system outage’
Incident: Cyberattack at the Chinese Subsidiary of a German Furniture Manufacturer

A Chinese production site of the Hettich Group has involuntarily been the victim of a cyber attack. As yet unknown attackers have hacked the internal networks and deposited malware there. The company's website states: " It is not yet possible to say when the Chinese subsidiary will be able to fully access all IT systems again. Local production in China is continuing. As far as we know at present, other companies in the Hettich Group are not affected. From today's point of view, the ability to deliver to our customers outside China is not limited."

Reference: Hettich subsidiary in China hit by cyber attack
Victim: Hettich Group

The Hettich Group is one of the world's leading manufacturers of furniture fittings. The company's headquarters are located in the eastern Westphalian town of Kirchlengern. In 2015, 5900 employees worldwide worked for Hettich, of which more than 3,000 are in Germany. The company has 38 subsidiaries worldwide. Hettich is family-owned.

Incident: Ransomware Attack at Dish Network

Satellite TV behemoth Dish Network experienced a network outage last week that was the result of a ransomware attack, company officials said in an 8-K filing to the Securities and Exchange Commission (SEC). The attack appeared to affect, the Dish Anywhere app, Boost Mobile (a subsidiary owned by Dish Wireless), and other websites and networks owned and operated by Dish Network. Customers also said the company’s call center phone numbers were unreachable. The attack effected 296,000 individuals.

Dish Network faces multiple class action lawsuits for allegedly making "materially false and misleading statements. The legal actions seek to recover damages for investors who purchased or acquired Dish Network securities between Feb. 22, 2021 and Feb. 27, 2023.

Reference: Dish Network confirms ransomware attack behind multi-day outage
Reference: Dish Network Reveals Ransomware Attack
Victim: Dish Network

“On February 23, 2023, DISH Network Corporation (the “Corporation”) announced on its earnings call that the Corporation had experienced a network outage that affected internal servers and IT telephony. The Corporation immediately activated its incident response and business continuity plans designed to contain, assess and remediate the situation. The services of cyber-security experts and outside advisors were retained to assist in the evaluation of the situation. The Corporation has determined that the outage was due to a cyber-security incident and notified appropriate law enforcement authorities.
“On February 27, 2023, the Corporation became aware that certain data was extracted from the Corporation’s IT systems as part of this incident."

Incident: Dole Suffers Ransomware Attack

Ransomware forced produce giant Dole to shut down production plants in North America and halt food shipments to grocery stores, company officials said.
The attack impacted about half of Dole’s legacy company’s servers and one-quarter of its end-user computers.

On May 18 Dole stated the February ransomware attack cost $10.5 million in direct costs About $4.8 million of those costs were related to continuing operations.

Reference: Cyberattack on food giant Dole temporarily shuts down North America production, company memo says
Reference: Dole Hit In Ransomware Attack
Victim: Dole Food Company

The multibillion-dollar company – officially known as Dole Plc after a 2021 merger between Dole Food Company and Ireland’s Total Produce – sources produce from dozens of countries around the world.

Incident: Hackers Had Weeks of Undetected Data Access at Pepsi Bottling Ventures

Pepsi Bottling Ventures LLC suffered a data breach caused by a network intrusion that resulted in the installation of information-stealing malware and the extraction of data from its IT systems.

The incident, Pepsi Bottling Ventures says, was discovered on January 10, but the investigation that was launched into the matter revealed that attackers gained access to the company’s network on December 23. The unauthorized access was blocked on January 19.

While dwelling in Pepsi Bottling Ventures’ network, the attackers deployed malware and downloaded information stored on the systems they had access to.

Stolen personal information includes names, addresses, email addresses, financial information, Social Security numbers, driver’s license numbers, ID card and password information, benefits information, health insurance information, medical history, health and health insurance claims, and digital signatures.

Reference: Pepsi Bottling Ventures Breached Following Malware Attack
Reference: Pepsi Bottling Ventures suffers data breach after malware attack
Victim: Pepsi Bottling Ventures LLC

Pepsi Bottling Ventures LLC is the largest bottler of Pepsi-Cola beverages in the US, responsible for manufacturing, selling, and distributing popular consumer brands and operates 18 bottling facilities across North and South Carolina, Virginia, Maryland, and Delaware.

Incident: MKS Suspends Operations to Contain Ransomware Attack

MKS Instruments Inc is investigating a ransomware attack and is temporarily suspending operations at some of its facilities. “The incident has affected certain business systems, including production-related systems, and as part of the containment effort, the company has elected to temporarily suspend operations at certain of its facilities”, Kathleen F Burke, senior vice president, general counsel and secretary at MKS Instruments, said in the SEC filing.

The ransomware incident was reported just a day after national cybersecurity agencies and security experts around the world warned about a global ransomware attack that hit thousands of servers running on VMware ESxi.

Applied Materials, Samsung Electronics Co., Taiwan Semiconductor Manufacturing Co. , Intel Corp. and ASML Holding NV are among MKS Instrument's customers. Applied Materials reported they will take a $250M hit to sales this quarter, thanks to a cyberattack at one of its (unidentified) suppliers.

Reference: MKS Instruments falls victim to ransomware attack
Victim: MKS Instruments

MKS Instruments is an Andover, Massachusetts-based provider of subsystems for semiconductor manufacturing, wafer level packaging, package substrate and printed circuit boards. MKS Instruments reportedly has 5,400 employees and a market capitalization of about $11 billion. As of 2021, sixty percent of the company's sales are from semiconductor products.

Reference: Applied Materials’ Sales Shortfall Linked to Cyberattack at MKS
Reference: Chip equipment maker MKS Instruments says it is investigating ransomware attack
Incident: Business Operations Offline at Burton Snowboards Manufacturing after Cyberattack

Burton Snowboards has canceled all online orders following what it describes as a "cyber incident." "We are currently experiencing a system outage due to a recent cyber incident and are unable to process online orders at this time," the snowboarding brand says in a prominent alert on its website. While the company is working on restoring business operations that were impacted, orders are no longer being processed. The company did not provide details on the nature of this "cyber incident" but will likely update its statement once the ongoing investigation is concluded.

Update June 2023: Burton Snowboards notified customers sensitive information was "potentially" accessed or stolen in February "cyber incident." The company reset the passwords of accounts linked to affected customers.

Victim: Burton Snowboards

Founded in 1977 by Jake Burton Carpenter, Burton is now one of the most well-known snowboard brands and its products are sold in thousands of stores worldwide. Burton's headquarters are in Burlington, Vermont, but it also has offices in Australia, Austria, Canada, California, China, and Japan.

Reference: Burton Snowboards cancels online orders after ‘cyber incident’
Incident: Ransomware Attack impacts City of Oakland, State of Emergency Activated

Oakland has declared a local state of emergency because of the impact of a ransomware attack. The state of emergency was declared to allow the City of Oakland to expedite orders, materials and equipment procurement, and activate emergency workers when needed. The ransomware attack impacted non-emergency services only, but many systems taken down immediately to contain the threat, are still offline a week later.

Victim: City of Oakland, CA

City of Oakland, CA

Reference: City of Oakland declares state of emergency after ransomware attack
Incident: Data breach at Scandinavian Airlines

Scandinavian Airlines (SAS) has posted a notice warning a cyberattack caused some form of a malfunction on the airline's online system. The attack caused passenger data to become visible to other passengers. This data includes contact details, previous and upcoming flights, as well the last four digits of the credit card number.

The attack on SAS was claimed by a group of so-called hacktivists called 'Anonymous Sudan'. The hackers stated they attacked SAS due to an event that took place in front of the Turkish embassy in Stockholm, Sweden.

Victim: Scandinavian Airlines (SAS)

SAS operates a fleet size of 131 aircraft and flies people to 168 destinations,

Reference: Scandinavian Airlines says cyberattack caused passenger data leak
Incident: Customer Data Breach at KLM and Air France

Air France and KLM have informed Flying Blue customers that some of their personal information was exposed after their accounts were breached. Air France and KLM confirmed the data breach in a statement sent to BleepingComputer and said that customers' sensitive data, such as passport or credit card numbers, was not exposed. The two airlines said that they also reported the incident to their countries' data protection authorities.

Flying Blue is a loyalty program allowing clients of multiple airlines, including Air France, KLM, Transavia, Aircalin, Kenya Airways, and TAROM, to exchange loyalty points for various rewards.

Victim: KLM

Royal Dutch Airlines

Victim: Air France

Air France

Reference: Air France and KLM notify customers of account hacks
Incident: Attempted Cyberattacks at Nuclear Research Laboratories in US in Summer ’22.

A Russian hacking team known as Cold River targeted three nuclear research laboratories in the United States this past summer, according to internet records reviewed by Reuters and five cyber security experts.
Between August and September Cold River targeted the Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore National Laboratories (LLNL), according to internet records that showed the hackers creating fake login pages for each institution and emailing nuclear scientists in a bid to make them reveal their passwords.

Reuters was unable to determine why the labs were targeted or if any attempted intrusion was successful. A BNL spokesperson declined to comment. LLNL did not respond to a request for comment. An ANL spokesperson referred questions to the U.S. Department of Energy, which declined to comment.

Victim: Lawrence Livermore National Laboratory – LLNL

LLNL is a premier research and development institution for science and technology applied to USA national security

Victim: Argonne National Laboratory -ANL

Argonne National Laboratory is a science and engineering research national laboratory.

Victim: Brookhaven National Laboratory – BNL

Research at BNL includes nuclear and high energy physics, energy science and technology, environmental and bioscience, nanoscience, and national security.

Threat Actor: Cold River

Russian hacking team Cold River first appeared on the radar after targeting Britain’s foreign office in 2016, has been involved in dozens of other high-profile hacking incidents in recent years. Reuters traced email accounts used in its hacking operations between 2015 and 2020 to an IT worker in the Russian city of Syktyvkar.

Reference: Report: Brookhaven National Laboratory victim of attempted Russian cyberattack
Reference: Exclusive: Russian hackers targeted U.S. nuclear scientists
Incident: Vice Society Claims it Stole Leaked Data from San Francisco’s Bay Area Rapid Transit – BART

Vice Society, a prolific ransomware group, leaked data it claims to have stolen from San Francisco’s Bay Area Rapid Transit. BART's spokesperson Alicia Trost: "We are investigating the data that has been posted." "To be clear, no BART services or internal business systems have been impacted. As with other government agencies, we are taking all necessary precautions to respond." Trost did not say whether ransomware was involved nor when the incident occurred.

Transit sector remains highly vulnerable. “They have the worst security by far generally. It’s run on tax money and it’s run as a bureaucracy, and their mission is to deliver transit,” which means they often don’t spend enough on cybersecurity or properly assess the risk, according to Chester Wisniewski, principal research scientist at Sophos.

Reference: San Fran’s BART Investigates Vice Society Data Breach Claims
Victim: San Francisco’s Bay Area Rapid Transit – BART

BART is a rapid transit system serving the San Francisco Bay Area in California.

Reference: Ransomware attack exposes California transit giant’s sensitive data
Incident: Cyberattack takes DNV’s Maritime Vessel and Fleet Management Software Offline.

DNV confirms it has taken its ShipManager software product offline after the services’ IT servers had been the victim of a cyberattack. DNV reports that it has advised customers. In response to the incident the company shut down ShipManager’s IT servers.

ShipManager is a software solution used by shipping companies to oversee the technical, operational, and compliance aspects involved in vessel and fleet management.

UPDATE: Approximately 1.000 ships of 70 maritime operators were affected by a ransomware
attack reports the Computer Emergency Response Team for the EU institutions.

Reference: Cyberattack Forces DNV to Take ShipManager Service Offline
Reference: Cyberattack hits DNV ShipManager software
Victim: DNV

DNV provides services for several industries including maritime, oil and gas, renewable energy, electrification, food and beverage and healthcare.

An international accredited registrar and classification society headquartered in Høvik, Norway. The company currently has about 12,000 employees and 350 offices operating in more than 100 countries.

Incident: UK Manufacturer, Morgan Advanced Materials Hit in Cyberattack

UK manufacturing firm, Morgan Advanced Materials plc said Tuesday it is investigating and managing a “cybersecurity incident after detecting unauthorized activity on its network.” “Upon becoming aware of the incident, the company immediately launched an investigation, engaged its specialist support services and has implemented its incident response plans,” the company said in a notice filed with the London Stock Exchange.

August 2023 update: the company told the London Stock Exchange that some applications were still being recovered and that the incident had a £23 million (approximately $28 million) impact on the first half of 2023’s operating profit. Although the company did not provide information on the type of cyberattack it has experienced, taking systems offline is typically the response to a ransomware attack.

Reference: UK Manufacturing Firm Hit in Cyberattack
Reference: British Manufacturing Firm Morgan Advanced Materials Investigating Cyberattack
Victim: Morgan Advanced Materials

Morgan Advanced Materials specializes in solutions for the industrial, energy, transportation, healthcare, and semiconductor sectors. It provides thermal and technical ceramics, molten metal systems, electrical carbon, and seals and bearings. The company has 7,800 employees across 25 countries.

Threat Actor: Play, aka PlayCrypt

Play ransomware mainly works in the Latin American region targeting government entitles. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “PLAY,” and the ransomware group’s contact email address.

Unlike most ransomware operations, Play gang affiliates use email as a negotiation channel and will not provide victims with a link to a Tor negotiations page within ransom notes dropped on encrypted systems. However, they are stealing data from their victims' networks before deploying ransomware payloads and will threaten to leak it online if the ransom is not paid.

Incident: The Guardian Closes Offices after Cyberattack

The Global IT system at The Guardian newspaper was hit by a ransomware attack on December 20. Offices are closed to “reduce the strain” on the company’s networks. All workers were told to work remotely until at least January 23.

Victim: The Guardian

The Guardian is a British daily newspaper founded in 1821.

Reference: The Guardian offices close after ransomware attack
Incident: Customer Data Breach at Toyota India

A data breach at Toyota Motor's Indian business might have exposed some customers' personal information, it said on Sunday. The car company warned that the accounts could be subject to spamming or phishing scams along with unsolicited emails.

Reference: Data Breach At Toyota-Kirloskar Motor Could Expose Customer Data: All You Need To Know
Victim: Toyota-Kirloskar Motor

Toyota Kirloskar Motor, based in India, is a joint venture between Kirloskar group and Toyota, Japan.

Reference: Toyota’s Indian unit warns of a possible customer data breach
Reference: Ransomware Group Claims Volvo Attack, Screenshots of the Stolen Files Released
Incident: R&D Data Breach at Volvo Cars

Car company Volvo suffered a cyberattack on some of its research and development property, the manufacturer said in a press release. Volvo Cars said "it could impact the company's operation", but did not specify what that might be.

In a statement published on the dark web on the evening of November 30, the Snatch ransomware gang said it had attacked the Volvo Car Corporation (VCC). Snatch published screenshots of allegedly stolen data from the Volvo hack on a Darknet website viewed by

Threat Actor: Snatch ransomware group

The Russian Snatch ransomware group uses the double extortion method; accordingly, the payload is made of ransomware and data stealer components. Threat actors use automated brute-force attacks against vulnerable applications in the target organizations. Also, the Snatch ransomware operators also use their affiliate partners to gain initial access to corporate networks.

Malware: Snatch Ransomware

Snatch ransomware is a stealthy malware that utilizes publicly available and built-in tools for its malicious activities. Since Windows does not often run endpoint protection mechanisms in Safe Mode, Snatch ransomware avoids detection by forcing infected hosts to reboot into Safe Mode.

Reference: The Snatch ransomware gang is making a comeback, releasing screenshots of stolen data.
Incident: Hacker Allegedly Sells Sensitive Data from Volvo

A threat actor is allegedly selling sensitive data, including information on vehicles the company sells to law enforcement.
Somebody has posted an ad on a popular hacking forum, claiming they are selling sensitive data of the Swedish manufacturing giant Volvo.

The threat actor behind insists that the company fell victim to a ransomware attack in late December. However, the attacker decided to sell the data instead, being convinced that Volvo would not pay the ransom. The relatively modest price set for the dataset signals the information might not be as sensitive.

Victim: Volvo

The Volvo Group is a Swedish multinational manufacturing corporation headquartered in Gothenburg. While its core activity is the production, distribution and sale of trucks, buses and construction equipment, Volvo also supplies marine and industrial drive systems and financial services.

Reference: Attacker claims Volvo suffered a data breach
Incident: Wabtec Discloses Data Breach Took Place less than a Year Ago

U.S. rail and locomotive company Wabtec Corporation has disclosed a data breach, that exposed a wide variety of personal and sensitive information, in a statement on December 30 2022. Wabtec says hackers breached their network and installed malware on specific systems as early as March 15, 2022.

News outlets reported the "possible ransomware attack" in June '22, Wabtec did not comment at that time.

Reference: Possible Ransomware Attack Allegedly Impacting Wabtec
Reference: Rail giant Wabtec discloses data breach after Lockbit ransomware attack
Victim: Wabtec

Wabtec is a U.S.-based public company producing state-of-the-art locomotives and rail systems. The company employs approximately 25,000 people and has a presence in 50 countries, being the world's market leader in freight locomotives and a major player in the transit segment, It is headquartered in Pittsburgh, Pennsylvania.

Incident: Port of Lisbon Suffered Cyberattack over Christmas

The administration of the Port of Lisbon suffered a cyberattack over Christmas. The Portuguese authorities didn’t specify the nature of the attack or who was behind it. However, the LockBit ransomware gang uploaded Port of Lisbon to its leak site, a darknet website where cybercriminals announce their victims. The gang claims to have stolen all of the data available on the port’s systems. Threat actors intentionally publicize what data was stolen to force victims into paying the ransom. LockBit demands close to $1.5m to download or destroy the data.

Victim: Port of Lisbon

Port of Lisbon is Portugal’s third largest port.

Reference: LockBit claims an attack on the Port of Lisbon
Incident: Boeing Hit by Wannacry

Boeing looks like it may be the latest victim of the WannaCry ransomware.
The company, however, said it detected only what it calls “limited malware intrusion” impacting a “small number of systems.”
The ransomware first hit Boeing Wednesday and Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, sent out a memo to warn the infection could even affect airplane software.
“It is metastasizing rapidly out of North Charleston and I just heard 777 (automated spar assembly tools) may have gone down,” VanderWel was quoted as saying in The Seattle Times.

Reference: WannaCry Hits Boeing With ‘Limited Intrusion’
Malware: WannaCry

WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting a Windows computer, it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.

Victim: Boeing

American multinational corporation that designs, manufactures, and sells airplanes, rotorcraft, rockets, satellites, telecommunications equipment, and missiles worldwide.

Incident: Colombian Utility, EPM, Suffers Ransomware Attack

Colombian energy company Empresas Públicas de Medellín (EPM) suffered a BlackCat/ALPHV ransomware attack, which ended up affecting financial operations and taking down online services. EPM is one of Colombia’s largest public energy, water, and gas providers.

The company's information was decrypted, affected the alternate Data Center and analyzed a 25% contagion. of the infrastructure; in addition, the additional loss of information is still being studied.

The company who provide services to 123 municipalities, closed its customer service offices and asked 4,000 employees to work from home as a preventative measure. The same day they indicated that "fortunately the provision of energy, water and gas services was not affected." EPM provided alternative methods for customers to pay for services.

Reports claim that a sizeable amount of data was stolen and around 40 devices were compromised during the attack, but organization is yet to comment on these claims.

Reference: Ransomware Attack at Colombian Utility
Victim: Empresas Públicas de Medellín (EPM)

One of Colombia’s largest public energy, water, and gas providers, providing services to 123 municipalities. The company generated over $25 billion in revenue in 2022 and is owned by the Colombian Municipality of Medellin.

Reference: Copper Miner Hit In Ransomware Attack
Incident: Disney Toy Maker Extorted by Two Ransomware Gangs

BlackCat ransomware cartel claims to have obtained Jakks Pacific data. Two weeks ago, Hive ransomware posted Jakks Pacific on their leak site. Threat actors first hacked the maker of Super Mario, Sonic, Disney Princess, and other toys in early December.

“On December 8, 2022, JAKKS experienced a ransomware attack by inserted malware into JAKKS’ computer network which locked up our servers,” the company said in a statement.
At the time, Jakks Pacific believed that threat actors accessed personal information such as names, emails, home addresses, taxpayer ID numbers, and ‘banking information.’

Reference: Toy maker Jakks Pacific victimized by a second cybergang
Reference: Toy maker Jakks Pacific reports cyberattack after multiple ransomware groups leak data
Victim: JAKKS Pacific, Inc.

JAKKS Pacific, Inc. is a leading designer, manufacturer and marketer of toys and consumer products sold throughout the world, with its headquarters in Santa Monica, California.

Incident: Hackers Demand $60M Ransom from Intrado Telecommunications

The Royal Ransomware gang