23 January 2024

6 min read

Switzerland targeted by hacktivists | Cyber Intelligence Briefing: 23 January

January 2024
Cyber Intelligence Briefing

 

Top news stories this week

  1. From the ashes. The British Library begins to restore systems months after ransomware attack.
  2. Frozen out. Switzerland targeted by hacktivists through DDoS attacks.
  3. Hold firm. Spanish municipality refuses to pay following ransomware attack.
  4. Freshly eaten. LockBit claims responsibility for Subway ransomware attack.
  5. Clandestine. Russia-based threat group APT29 accessed and stole data from Microsoft’s senior leadership team.
  6. Ransomware despair. NGO Water for People hit by Medusa ransomware as RUSI outlines psychological impact of ransomware attacks.

1. The British Library makes steps towards restoring systems post-ransomware incident

The British Library continues to make a slow recovery from a ransomware attack it suffered in October of last year, when ransomware group Rhysida successfully exfiltrated and leaked sensitive employee and customer data on the dark web. Recent restoration efforts have enabled the British Library’s website to regain partial functionality. Users can now access most of the library’s main catalogue, however, it is only available in ‘read only’ format and other online services remain disrupted.  

The library has been criticised for a lack of transparency in their communications to employees and customers, as the completion date of the restoration remains unconfirmed.

So what?

Maintaining a clear and defined communication strategy can help organisations significantly reduce reputational damage following major cyber incidents. 

[Researcher: Adelaide Parker] 


2. Arrival of the Ukrainian president in Switzerland results in cyber attacks

Swiss government websites were temporarily disrupted by DDoS attacks following Ukrainian President Volodymyr Zelenskyy’s arrival at the World Economic Forum in Davos. A Pro-Russian hacking group known as ‘NoName’ claimed responsibility for the attacks on its Telegram channel. The same group targeted Switzerland in June 2023, with DDoS attacks on parliamentary, postal, and federal railway websites.

So what?

Cyber attacks can be motivated by geopolitics. It is crucial to assess the potential cyber threat implications of the geographies and industries in which your organisation has a vested interest.

[Researcher: Adelaide Parker]


3. Spanish municipality refuses to pay EUR 10 million ransomware demand

The Spanish municipality of Calvià has refused to pay an EUR 10 million ransom, in line with the Counter Ransomware Initiative. Signatory countries of the CRI have pledged that public bodies will no longer pay ransoms to cyber criminals. The council has temporarily paused administrative duties, deployed a crisis team, and engaged with cyber crime authorities for damage assessment and recovery.

So what?

In the wake of ransomware attacks, refusal to pay can lead to sizable costs and business disruption. Ensure a thoroughly planned and practised incident response plan is in place to protect organisational resilience and minimise business interruption.

[Researcher: Amy Gregan]

 

Download now

 

4. LockBit 3.0 claims ransomware attack on Subway

The LockBit ransomware group has posted American multinational chain Subway on its leak site and threatened to auction sensitive financial data unless their demands are met by 2 February 2024. The fast-food giant is investigating the claims.

So what?

LockBit remains the most active ransomware gang and is continuing to target global corporations and SMEs. To minimise your risk of falling prey, ensure that you have a robust incident response plan in place.

[Researcher: Amy Gregan]


5. Microsoft’s senior leadership team has corporate emails accessed and data stolen by Russia-based threat group

Microsoft has revealed that a Russian state-backed threat group accessed and exfiltrated data from a number of its corporate email accounts, including members of its senior leadership, cyber security, and legal teams. The group accessed the accounts after compromising a legacy test account using a password spray attack, which has led cyber security experts to speculate that the account was not protected with multi-factor authentication (MFA).

So what?

Organisations need to have a comprehensive approach to identifying and disabling inactive user accounts in their environment. These accounts are a prime target for cyber criminals.

[Researcher: David Broome]


6. Water for People hit by Medusa ransomware as report outlines the significant psychological impact ransomware attacks can have on victims

A report conducted by the Royal United Services Institute (RUSI) has revealed that many small business owners have been left with suicidal feelings following ransomware attacks, suggesting that the psychological toll of ransomware attacks is often greatest for small businesses. The study highlights the impact that stress can have on those responding to incidents with it having the potential to lead to burnout and sickness for staff.

Separately, ransomware group Medusa has claimed responsibility for an attack on non-profit Water for People, after naming the organisation on their leak site and leaking sensitive data.

So what?

Several ransomware groups target organisations indiscriminately and exhibit no sympathy for public service businesses. As the scale of ransomware incidents continues to increase, organisations of all sizes should invest in key security controls such as immutable backups and formalise incident response plans to prevent being caught unprepared.

[Researcher: David Broome]

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Editors

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

Miles Arkwright
Miles Arkwright
Associate, Cyber Advisory
James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

Miles Arkwright
Miles Arkwright

Associate, Cyber Advisory

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.