17 February 2023

7 min read

LockBit leaks negotiation transcript with Royal Mail International | Cyber Intelligence Briefing: 17 February

February 2023
LockBit leaks negotiation transcript with Royal Mail International | Cyber Intelligence Briefing: 17 February placeholder thumbnail


Top news stories this week

  1. Unexpected delivery. LockBit leaks negotiation transcript with Royal Mail International.
  2. DDoS on the rise. KillNet disrupts NATO earthquake relief effort and Cloudflare mitigates largest attack to date.
  3. The revolution will not be televised. Hacktivists disrupt president’s speech on Iranian state TV.
  4. Under attack. Tonga Communications Corporation and City of Oakland hit with
  5. Popped. Pepsi Bottling Ventures (PBV) discovers network intrusion after nearly three weeks.
  6. Game over. New ransomware strain ‘Mortal Kombat’ spreads through phishing emails.
  7. Patch Tuesday. Microsoft addresses multiple vulnerabilities in February 2023’s Patch Tuesday.


1. Negotiations between Royal Mail International and LockBit leaked 

LockBit claims to have leaked its entire negotiation transcript with Royal Mail International following last month’s cyber attack. Believing they had compromised the parent company rather than a smaller subsidiary, LockBit demanded a ransom of USD 80 million, which they calculated to be 0.5% of their target’s revenue. Royal Mail refused to pay, rejecting the demands as “absurd”.

So what?

Threat actors often calculate ransom demands based on a percentage of revenue, but they have been known to make such assessments on false information.



2. DDoS attacks on the rise

Russian hacker group KillNet has claimed responsibility for a DDoS attack on NATO’s Special Operations website, disrupting an aid mission for the victims of the Turkey-Syria earthquake. The attack took the website down for several hours.

Separately, content delivery and DDoS mitigation network provider Cloudflare detected and mitigated the largest volumetric DDoS attack on record. The attacks were reportedly launched from 30,000 IP addresses with the largest attack exceeding 70 million requests per second, a 35% increase from the previous reported record.

So what?

A distributed denial of service (DDoS) attack involves overwhelming a website with malicious traffic to take it offline. Setting up continuous monitoring to analyse patterns and filtering out malicious traffic can reduce the impact of DDoS attempts. This is especially important if constant availability is critical to your organisation’s business operations.



3. Hacktivists disrupt Iran president's revolution day speech

The Iranian hacktivist group known as Edalat-e Ali took over a live TV broadcast during President Raisi's speech to mark the anniversary of the Islamic Republic. The group displayed the slogan “death to Khamenei”, the supreme leader of Iran, and called for protests and the withdrawal of money from government banks.

So what?

Organisations must be mindful that not all hacking is profit-driven and that they could be targeted by hacktivists with political and social motivations. Understanding your organisation’s public profile is important when assessing the evolving risk landscape.



4. Ransomware continues to impact public sector organisations

State-owned telecommunication company Tonga Communications Corporation has notified its customers of a ransomware attack that is impacting its administrative functions. A separate attack on the City of Oakland in California is severely affecting the provision of public services.

So what?

Public sector organisations are a popular target for ransomware. Recent high-profile attacks demonstrate the importance of having a cyber security risk management strategy to help identify, analyse, evaluate, and respond to key cyber security risks.



Cyber Security Insights Report


5. Pepsi bottling ventures suffers data breach

Pepsi-Cola’s manufacturer and distributor Pepsi Bottling Ventures (PBV) has suffered a data breach that exposed employees’ personal and financial information. Attackers accessed PBV’s network for nearly three weeks before being detected.

So what?

Timely cyber intrusion detection is critical in limiting damages caused by a data breach. Ensure your network is properly segmented to slow an attacker’s progress and reduce the impact of the intrusion.



6. New ransomware strain spread through phishing emails

Security researchers have identified a new ransomware campaign dubbed ‘Mortal Kombat’ that is targeting individuals and entities in the US. The ransomware is distributed through phishing emails, which encourage recipients to open a zip file attachment that mimics a cryptocurrency invoice. The ransom note displays an image from the video game Mortal Kombat.

So what?

To protect your organisation, emails with unprompted attachments and links should be treated with extreme caution. Investing in phishing training can help improve awareness as can notifying employees of prevalent phishing campaigns.



7. Patch Tuesday

Microsoft has patched 77 vulnerabilities, including three zero-day vulnerabilities that were actively exploited by cyber criminals. The vulnerabilities, nine of which were classified as critical, could allow unauthorised access, data theft, or denial of service attacks.

Most patches are available automatically through Windows Update. However, one patch will be issued through the Microsoft Store

So what?

Organisations must ensure they have the latest security updates installed to reduce the likelihood of suffering a security breach. Ensure you have both Windows Update and Microsoft Store automatic updates enabled to benefit from the latest patches.



Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Miles Arkwright
Miles Arkwright
Associate, Cyber Security
James Tytler
James Tytler
Associate, Cyber Security

James Tytler is a cyber security associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Miles Arkwright
Miles Arkwright

Associate, Cyber Security

James Tytler
James Tytler

Associate, Cyber Security

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.