27 January 2023

6 min read

Hive ransomware network shut down and decryptor leaked | Cyber Intelligence Briefing: 27 January

January 2023
Hive ransomware network shut down and decryptor leaked | Cyber Intelligence Briefing: 27 January placeholder thumbnail


Top news stories this week

  1. Hive-ing a bad day. Ransomware-as-a-service operation Hive shut down. 
  2. I predict a riot. Video game developer Riot Games falls victim to cyber attack.
  3. In the spotlight. T-Mobile and Arnold Clark under pressure following data breaches.
  4. Coin trace. The FBI traces USD 100 million of stolen funds to North Korean hackers.
  5. Get stuffed. ‘Credential stuffing’ used to breach 35,000 PayPal accounts.
  6. Lunar-cy. Chinese hackers deface South Korean state institution websites over New Year.
  7. Noted! Microsoft OneNote attachments become the newest vector for malware. 

1. Hive ransomware network shut down and decryptor leaked

The US Department of Justice has shut down the website of a major ransomware network, Hive. The FBI penetrated the network in July 2022, capturing over 300 decryption keys that were then handed over to companies compromised by the gang. The FBI also distributed more than 1,000 additional decryption keys to previous Hive victims. 

So what?

Hive is believed to have extorted more than USD 100 million from victims in over 80 countries, including hospitals, school districts, financial firms, and critical infrastructure. So, the shutdown is welcome news!    




2. Riot Games hacked

Video game developer Riot Games has confirmed that a threat actor compromised their development environment last week. The hackers gained access through social engineering and exfiltrated source code of popular games, including League of Legends. The threat actor has demanded USD 10 million to prevent source code from being leaked and deleted from their servers. 

So what?

Social engineering remains a favourite point of entry for threat actors, with emails being a common delivery method. Organisations must secure their email environment through measures such as conditional access policies, email filtering solutions, and employee training programmes.    




3. T-Mobile and Arnold Clark customer data leaked 

The Play ransomware group has leaked customer data belonging to British car dealership Arnold Clark, including passport and bank details. Play has allegedly threatened to leak further tranches of data if the ransom is not paid.  

Separately, telecommunications giant T-Mobile has disclosed a data breach going back to November 2022, affecting 37 million customer accounts. The attackers reportedly accessed personal customer information, including names, addresses, emails, phone numbers, and dates of birth.  

So what?

Data breaches can be particularly damaging to a company's reputation. The extent of reputational damage is often dependant on how an organisation reacts in the immediate stages of a breach. Incident response and crisis management plans are crucial components for managing reputational risk.   


4. The FBI traces stolen funds to North Korea

The FBI has traced USD 100 million worth of Ethereum stolen from the cryptocurrency firm Harmony Horizon back to the North Korean government-linked Lazarus Group. Investigators identified the hackers when they moved part of the funds through Railgun, a privacy enhancing system, before depositing the funds to addresses associated with the group.   

So what?

Cryptocurrency was once considered anonymous, but advances in tracing methodologies mean that it is possible for law enforcement agencies to track down and seize the proceeds of crime. 


Cyber Security Insights Report



5. Credential attack at PayPal

Online payment platform PayPal has announced that hackers breached nearly 35,000 user accounts in December. The attack technique involved so called ‘credential stuffing’ where the hackers accessed previously leaked PayPal login information. The hackers accessed sensitive data such as full names, social security numbers, card details, and transaction histories.  

So what?

Credential stuffing attacks demonstrate the importance of good password management. On top of enforcing multi-factor authentication, organisations should ensure password policies and their subsequent implementation follow industry best practice. 



6. Chinese hackers deface websites

A Chinese hacking group dubbed Xiaoqiying has claimed responsibility for an attack that defaced the websites of 12 South Korean state-run institutions over the Lunar New Year holiday. Authorities have been put on high alert after the group announced it would target over 2,000 Korean organisations, in what it called ‘an invasion into Korea’s internet’.  

So what?

A common method of attacking websites involves exploiting outdated third-party software. Ensuring that you regularly apply security updates and patches is an easy way to protect your website from attack. 



7. Microsoft OneNote attachments used in phishing attacks 

Recent trends indicate that threat actors have begun using Microsoft OneNote attachments in phishing emails to distribute malware. It appears that organisations such as DHL are being spoofed to encourage users to click through the OneNote attachment. 

So what?

Caution and suspicion should be employed when receiving unprompted emails containing attachments and links. Organisational investment in phishing awareness training and simulations will help employees identify fraudulent requests and reduce the likelihood of a successful phishing attack. 

Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Miles Arkwright
Miles Arkwright
Associate, Cyber Advisory
James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Miles Arkwright
Miles Arkwright

Associate, Cyber Advisory

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.