11 August 2023

10 min read

Northern Ireland police data exposed due to staff error | Cyber Intelligence Briefing: 11 August

August 2023
Northern Ireland police data exposed due to staff error | Cyber Intelligence Briefing: 11 August placeholder thumbnail

 

Top news stories this week

  1. Belfast blues. Personal information from Police Service of Northern Ireland inadvertently leaked. 
  2. Electioneering. 43 million voters’ details exposed in attack on UK Electoral Commission. 
  3. Turning on the taps. Cl0p gives new 15 August deadline and uses torrents for leaking data. 
  4. Medical mayhem. Rhysida attack on Prospect Medical Holdings disrupts US hospitals’ operations. 
  5. Caught red-handed. North Korea’s Lazarus group hacks top Russian missile manufacturer. 
  6. Phish and chips. Interpol dismantles phishing-as-a service platform. 

 


 

1. Northern Ireland police data exposed due to staff error

The names and addresses of over 10,000 police officers and other staff of the Police Service of Northern Ireland were exposed online following an accidental disclosure in response to a Freedom of Information request. The data is highly sensitive given the security situation in Northern Ireland and included names of intelligence officers and surveillance units. 

So what?

Sensitive information should be carefully sanitised before being shared with external stakeholders. Organisations should have robust processes, including access controls, to prevent accidental exposure.

 


 

2. Attack on UK electoral commission exposes 43 million voter details 

The UK Electoral Commission has disclosed that unidentified threat actors had access to servers holding the names and addresses of every adult registered to vote in the UK between 2014 and 2022. The attack began in August 2021 and was first detected in October 2022, but it is unclear what files were accessed. Security researchers have speculated that the threat actor is linked to Russia and gained access using the ProxyNotShell vulnerability. 

So what?

While preventative controls are important, the ability to detect a cyber incident is critical. Detection and response solutions and regular threat hunting exercises are just two important ways to improve an organisation’s detection capabilities. Furthermore, timely disclosure in the wake of a data breach is essential not only to comply with legal requirements, but also to mitigate reputational damage.

 


 

3. Cl0p issues new deadline and turns to torrents for data leaks

The Cl0p ransomware gang, who was responsible for the recent MOVEit breach, has issued a new deadline. The group claims it will start leaking data from companies named on their site who have not made contact by 15 August 2023. In addition to using clear web leak sites for larger victims, the gang has also begun using torrents to leak stolen data 

So what?

In contrast to dark web leak sites with slow download speeds, torrents and clear web sites will make leaked data much more readily accessible. 

 


 

4. Rhysida ransomware attacks force hospitals in the US and Israel to halt operations 

US-based Prospect Medical Holdings experienced a ransomware attack which caused systems outages and disrupted operations at its 16 hospitals across California, Connecticut, Pennsylvania, and Rhode Island. The attack was attributed to Rhysida, a relatively new ransomware-as-a-service group. Security researchers have linked Rhysida to Vice Society, a more established group also known to target the healthcare and education sectors.

So what?

There are several methods to improve ransomware resilience, including good backups hygiene. One important, but often overlooked, measure is isolating critical systems from the rest of the operational network and limiting access to these as much as possible.

 

 

 

5. Lazarus Group hacks Russian missile manufacturer

The North Korean state-backed threat actor Lazarus Group infiltrated the systems of Russian missile developer NPO Mashinostroyeniya between late 2021 and May 2022. Hackers installed backdoors for persistent access, but it is unclear what data was accessed. The breach was inadvertently made public after security staff at NPO Mash uploaded data to a platform used by cyber security researchers. 

So what?

Not all cyber attacks are financially motivated. Organisations with sensitive intellectual property could be the target of different motivations. Acknowledging this and protecting sensitive and valuable data accordingly is critical. 

 


 

6. Interpol dismantles phishing-as-a-service platform

Interpol has successfully taken down the 16shop phishing-as-a-service platform. This platform provided easy to use phishing kits for major payment platforms such as Apple Pay, Paypal, and American Express. The site had around 70,000 users from 43 countries. 

So what?

While the takedown of 16shop is a significant step, it is crucial to remain vigilant as similar platforms still exist. These platforms reduce the skill barrier for attackers, emphasising the ongoing need for robust cyber security measures and user awareness.

 

 

Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

 

To discuss this briefing or other industry developments, please reach out to one of our experts.

 

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.