OSINT REPORT

Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

OSINT report
2022 - Week 52 & 2023 – Week 1
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

ABOUT ENISA

The European Union Agency for Cybersecurity (ENISA) has been working to make Europe cyber
secure since 2004. ENISA works with the EU, its member states, the private sector and Europe’s
citizens to develop advice and recommendations on good practice in information security. It assists
EU member states in implementing relevant EU legislation and works to improve the resilience of
Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing
expertise in EU member states by supporting the development of cross-border communities
committed to improving network and information security throughout the EU. Since 2019, it has
been drawing up cybersecurity certification schemes. More information about ENISA and its work
can be found at [Link].

CONTACT
For contacting the authors please use sat@[Link] media enquiries about this paper,
please use press@[Link]

AUTHORS
Operational Cooperation Unit – Situational Awareness Team

LEGAL NOTICE
Notice must be taken that this publication represents the views and interpretations of ENISA,
unless stated otherwise. This publication should not be construed to be a legal action of ENISA or
the ENISA bodies unless adopted pursuant to the Regulation (EU) No 2019/881.
This publication may update it from time to time.
Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the
external sources including external websites referenced in this publication.

This publication is intended for information purposes only. It must be accessible free of charge.
Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of
the information contained in this publication.

COPYRIGHT NOTICE
© European Union Agency for Cybersecurity (ENISA), 2023
Reproduction is authorised provided the source is acknowledged.

For any use or reproduction of photos or other material that is not under the ENISA copyright,
permission must be sought directly from the copyright holders.
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

Table of Contents
INTRODUCTION: ............................................................................................................................................................. 1
LATEST INCIDENTS: ......................................................................................................................................................... 3
1. [CZ] CZECH RAILWAYS IS FACING A HACKER ATTACK. THE MY TRAIN WEBSITE AND APP ARE DOWN .................... 3
2. [DE] CYBER ATTACKS ON GERMAN LOTTERY: PROBLEMS ON WEBSITES AFTER SUSPECTED HACKERS ................... 4
3. [DE] GERMAN CITY OF POTSDAM OFFLINE FOR SEVERAL DAYS DUE TO CYBER ATTACK......................................... 5
4. [DE] HACKERS ATTACK THYSSENKRUPP'S MATERIALS DIVISION ............................................................................ 5
5. [FR] CYBERATTACK IN BERCY: THE NEW ONE-STOP SHOP FOR BUSINESSES TARGETED, TWO DAYS AFTER ITS
LAUNCH ......................................................................................................................................................................... 6
6. [IT] CYBER ATTACK ON THE ALESSANDRIA HOSPITAL; RAGNAR LOCKER CALL TO “REPLACE ALL IT STAFF” ............. 7
7. [NL] DUTCH POLITICIAN GEERT WILDERS' PARTY FOR FREEDOM (PVV) WAS THE TARGET OF A CYBER ATTACK ..... 8
8. [NL] SYSTEMS OF THE NOVA COLLEGE EDUCATIONAL INSTITUTION PARTLY RECOVERED AFTER A CYBER ATTACK 9
9. [PT, ES] FINANCIAL INSTITUTIONS IN PORTUGAL AND SPAIN TARGETED BY NEW RASPBERRY ROBIN MALWARE 10
10. [PT] THE PORT OF LISBON, ATTACKED BY THE LOCKBIT RANSOMWARE GROUP ............................................. 11
11. [RO] DATABASE OF ROMANIAN HOSPITAL HELD FOR RANSOM BY HACKERS .................................................. 12
12. [GLOBAL] SLACK'S PRIVATE GITHUB CODE REPOSITORIES STOLEN OVER HOLIDAYS ........................................ 14
13. [GLOBAL] RANSOMWARE GROUP PLAY TARGETS NUMEROUS ENTITIES WORLWIDE ...................................... 15
[AR/JP] PLAY RANSOMWARE LISTS ARGENTINA’S STATE-OWNED TELECOMMUNICATIONS COMPANY ARSAT AND TAIWANESE CHIPMAKER
JMICRON TECHNOLOGY .......................................................................................................................................................... 15
[CH] PLAY RANSOMWARE GROUP THREATENS LARGE SWISS HOTEL CHAIN WITH DATA LEAK .................................................................... 16
[SE] PLAY RANSOMWARE CLAIMS TO HACK INTO AN IT PROVIDER THAT SPECIALISES IN THE IT ENVIRONMENTS FOR SHIPS AND ADDS CUSTOMERS AS
VICTIMS ............................................................................................................................................................................... 16
[US] RACKSPACE RANSOMWARE ATTACK CAUSED BY A ZERO-DAY EXPLOIT .......................................................................................... 16
14. [GLOBAL] GODFATHER BANKING TROJAN TARGETS FINTECH APPS AND CRYPTOCURRENCY EXCHANGES ....... 18
15. [GLOBAL] TOYOTA, MERCEDES, BMW API FLAWS EXPOSED OWNERS’ PERSONAL INFO [WARNING] .............. 18
16. [MD] MOLDOVAʼS GOVERNMENT HIT BY FLOOD OF PHISHING ATTACKS ........................................................ 21
17. [UA] CYBER ATTACK ON DELTA SYSTEM USERS USING ROMCOM/FATEGRAB/STEALDEAL MALWARE ............. 22
18. [UK] THE GUARDIAN RANSOMWARE ATTACK HITS WEEK TWO AS STAFF TOLD TO WORK FROM HOME ........ 23
19. [MY] 250,248 UNIFI MOBILE CUSTOMERS AFFECTED BY DATA BREACH, SAYS TELEKOM MALAYSIA BHD ........ 25

20. [NK] LAZARUS APT USES PHISHING DOMAINS TO TARGET NFT INVESTORS ................................... 26
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

Introduction:

The objective of this weekly OSINT report is to provide Situational Awareness 1 based on the latest information of
Open Sources (OSINT) gathered by ENISA. Presented incidents are categorised according to their nature (Fields
‘Category’, ‘Type’) and proximity to the EU ecosystem. Sectorial classification of reported incidents is based on the
European Commission proposal for a European cybersecurity taxonomy. 2

The report’s scope is global and multi-sectorial. Incidents however with a direct impact in the EU area are a priority.

The marking of this report is TLP GREEN. The report is to be used within the European Union
institutions, other offices and agencies established by virtue or on the basis of the Treaties, EU Member
States’ and EFTA countries’ public authorities. The report should not be distributed/accessible via
publicly accessible channels.

Disclaimer

Information provided in this report is based on publicly available information of Open Sources. This information is
intended to be used for Situational Awareness purposes only. Opinions expressed in referenced sources do not
constitute an ENISA position.

1
In accordance with the EU cybersecurity act Art.7 Par.6 ([Link]
2
[Link]

1
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

Annual statistics:
DOMAIN CATEGORY TYPE

FAR 127 APT 99 Backdoor 23

GLOBAL 168 Cyber-attack 351 Banking trojan 4
MID 110 Cybercrime 324 BGP hijack 2
NEAR 543 Cybersecurity 95 Blackmail 1
Cyberwarfare 34 Bootkit 1
Espionage 52
Breach/Intrusion 123
Geopolitics 115
Credential harvesting 6
Hacktivism 47
Credential stuffing attack 1
Poor security measures 8
Defacement 8
Possible cyber-attack 23
SECTOR Domain hijacking 2
DoS/DDoS/RDoS 117
All Sectors 108
Exfiltration/ Data leakage/Breach 131
Arts sector 2
Exploitation 18
Construction industry 10
Critical Infrastructure 10 Fraud/Impersonation/Counterfeit 46
Education/Academic 37 IoT botnet 10
Energy sector 51 Malware 132
Facility services 13 Miner/Crypto 8
Finance sector / Banking 69 Misinformation/Disinformation 7
Food Industry 16
Mobile trojan/malware 3
General public 112
Healthcare/Medical 71 Multiple 17
Industrial 42 Not enough information 100
Insurance 7 Ransomware 251
ISP 8 RAT 15
Legal 8 Remote Code execution 3
Mail/ Shipping services 7
Skimmers/Magecart 4
Maritime sector 7
SMShing/Vishing 14
Media sector/ Entertainment industry 53
Military 33 Social Engineering 9
Non-Government Organisations 14 Software supply chain 6
Not enough information 6 Spear phishing/Phishing 128
Political organizations 12 Spoofing 4
Private sector 38 Spyware 17
Public administration/Government 233
Stealer 9
Religious organizations 6
Steganography 1
Research 9
Retail/Commerce 25 Threat Intelligence 2
Software supply chain 4 Trojan 8
Space sector 6 Warning 87
Sports sector 1 Watering hole 3
Targeted individuals 34 Zero Day 12
Technological 61
Telecommunications 36
Transportation sector 43
Water utilities 2

2
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

Latest incidents 3:
Near
Affected networks, systems, services, controlled and assured within the EU
borders. Affected population within the EU borders 4

1. [CZ] CZECH RAILWAYS IS FACING A HACKER ATTACK. THE MY TRAIN WEBSITE AND APP ARE
DOWN

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cyber-attack Not enough information Transportation sector

“České dráhy, often shortened to ČD, is the major railway operator in the Czech Republic providing regional and long-
distance services. The company was established in January 1993, shortly after the dissolution of Czechoslovakia, as a
successor of the Czechoslovak State Railways.” 5

“The website and application of the state railway carrier České dráhy were attacked by hackers. The ČD website
and the Můj vlak application may therefore be unavailable according to the carrier. Passengers will be checked in
without surcharge.

Both the ČD website and the mentioned application serve people, in addition to information about traffic, as well
as buying tickets. Therefore, the railways said that passengers are checked in without surcharge in trains.

‘We are gradually restoring the systems so that the e-shop and My Train application are fully functional. We
apologize to the passengers for the complications that we could not influence,’ said ČD spokeswoman Vanda
Rajnochová.

The spokeswoman did not want to give details about the beginning of the attack and the type of attack for security
reasons. ČD announced the attack on Twitter at around 7:30 p.m., and after 8:00 p.m. the railway website
continued to experience outages.” 6

The numerical distribution of tweets containing “Czech railway” is shown below. 7

3
Definitions for the Near,Mid,Far attributes can be found at:
[Link] p.40
4
Including EFTA countries: [Link]
5
[Link]
6
Translated from [Link]
7
Source: OpenCSAM

3
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023
2. [DE] CYBER ATTACKS ON GERMAN LOTTERY: PROBLEMS ON WEBSITES AFTER SUSPECTED
HACKERS

CATEGORY TYPE SECTOR(S)

FOR INFORMATION Credential harvesting, Exfiltration/
Cyber-attack Retail/Commerce
Data leakage/Breach

“Nordwest Lotto Schleswig-Holstein is a company that operates in the Gambling & Casinos industry. It employs 21-50
people and has $1M-$5M of revenue” 8

“Because of a cyber-attack, lottery players in Brandenburg, for example, were unable to place a bet online on
Tuesday [03/01/2022]. As the spokeswoman for the lottery company in Potsdam, Antje Edelmann, said, the
internet service was shut down for security reasons. Alleged cybercriminals tried to access customer accounts
over the turn of the year and on Monday. It was unclear how long the closure would last. There were problems in
other states too.

Whether personal data was stolen from customers has not yet been clarified, said the spokeswoman for Lotto
Brandenburg. ‘We are in the process of analysing that.’ The State Criminal Police Office and the State
Commissioner for Data Protection have also been informed.

According to Lotto Brandenburg, around 50,000 Internet customers have been informed about the cyber-attack. If
you have already filled out a ticket online, you can take part in the drawing of the lottery numbers as usual.
However, most lottery players place their bets in the shops.

Lotto Schleswig-Holstein temporarily blocked access to its own website at the turn of the year due to suspected
hacking. A spokesman said on Monday [02/01/2022] that there were a striking number of automated log-in
attempts between Christmas and New Year's Eve. The area was therefore closed as a preventive measure from
New Year's Eve until Monday noon. Lotto Rheinland-Pfalz had also temporarily blocked access to its own website
due to conspicuous unauthorized access attempts. According to information from Monday, there were also
problems in Berlin and Saxony-Anhalt.” 9

The numerical distribution of tweets containing “Deutsche Lotterie” is shown below. 10

8
[Link]
9
Translated from [Link]
[Link]?wt_mc=[Link]
10
Source: OpenCSAM

4
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023
3. [DE] GERMAN CITY OF POTSDAM OFFLINE FOR SEVERAL DAYS DUE TO CYBER ATTACK

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cyber-attack Credential stuffing attack Public administration/Government

“Potsdam is the capital and, with around 183,000 inhabitants, largest city of the German state of Brandenburg. It is part of
the Berlin/Brandenburg Metropolitan Region.” 11

“The municipal systems of the German city of Potsdam for several days due to a cyber-attack have been offline ,
which has all kinds of consequences for residents. On December 29, the city government received a warning from
security authorities that there was a serious threat to the city's systems. There would be an imminent attack on its
environment and data of the municipality.

Subsequently, as a precaution, the internet connection and systems of the municipal apparatus were taken offline,
and a security investigation was initiated. In addition to the security authorities' warning, the capital of the German
state of Brandenburg discovered that it had been targeted by a brute force attack on December 29. If the German
city's systems pass security screenings, they will gradually come back online this week. Officials from the state
capital are still not reachable by e-mail and the internet connection will also remain offline for the time being.

The services of the state capital are therefore only available to a limited extent. For example, it is currently not
possible to register and deregister vehicles, order an emergency passport and issue a statement of conduct. The
document counter of the registry office, citizen portals and the municipal information system are also currently
unavailable. It is also not possible to report matters such as child abuse by e-mail. In these cases, residents are
asked to report this by telephone or fax.” 12

The numerical distribution of tweets containing, “Potsdam cyber” is shown below. 13

4. [DE] HACKERS ATTACK THYSSENKRUPP'S MATERIALS DIVISION

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cyber-attack Not enough information Industrial

“ThyssenKrupp AG is a German industrial engineering and steel production multinational conglomerate. It is the result of
the 1999 merger of Thyssen AG and Krupp and has its operational headquarters in Duisburg and Essen.” 14

“The industrial group Thyssenkrupp is currently struggling with an attack by hackers. ‘Thyssenkrupp is currently the
target of a cyber-attack - presumably by organized crime,’ a company spokesman told SPIEGEL on request. The
‘Westdeutsche Allgemeine Zeitung’ had previously reported on the attack.

Parts of the international trading business with materials such as steel and the group headquarters are currently
affected. It can be ruled out at this point in time that other parts of Thyssenkrupp are affected by the cyber-attack.

11
[Link]
12
Translated from [Link] anval?channel=rss
13
Source: OpenCSAM
14
[Link]

5
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023
The group also includes steelworks and naval shipbuilding, for example. Just a few days ago, Thyssenkrupp Marine
Systems christened two submarines for the Singapore Navy.
.
In the past fiscal year 2021/22, Materials Services was Thyssenkrupp's top-selling division with 16.4 billion euros.”15

The numerical distribution of tweets containing, “Thyssenkrupp cyber” is shown below. 16

5. [FR] CYBERATTACK IN BERCY: THE NEW ONE-STOP SHOP FOR BUSINESSES TARGETED,
TWO DAYS AFTER ITS LAUNCH

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cyber-attack Malware Public administration/Government

“Managed by the National Institute of Industrial Property, this tool has replaced since the new year the six networks of
business formalities centers, which previously existed in France. The one-stop shop for companies centralizes all
declarations of creation, modification, filing of documents and cessation of business.” 17

“Two days after its commissioning on January 1, the one-stop formalities office, intended to facilitate administrative
procedures for companies, was the victim of a cyberattack. Confirming information from Le Parisien , the Ministry
of Economy and Finance deplored on Sunday having suffered ‘a major computer attack’ on Tuesday, which
occurred despite ‘ numerous security tests ‘. The virus had then created ‘ 10,000 modification requests ‘ per
second and led to a saturation of the site. Consequence: a paralysis, in part, of economic activity due to its inability
to register the requests of professionals. Since then, a solution has been found by the services of Bercy.

The incident occurred only forty-eight hours after the launch of this dematerialized counter, when the ministry had
received initial complaints denouncing technical bugs, such as the persistence of connection difficulties. ‘ We may
be in degraded mode for a few days, but the changeover took place on time. We believe that the one-stop shop
will have its final face at the end of March , ‘said Bruno Le Maire in a press release, in response to these criticisms.”18

The numerical distribution of tweets containing, “Bercy cyberattaque” is shown below. 19

15
Translated from [Link]
558412aa981b#ref=rss
16
Source: OpenCSAM
17
Translated from [Link]
lancement-4159677
18
Translated from [Link]
lancement-4159677
19
Source: OpenCSAM

6
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

6. [IT] CYBER ATTACK ON THE ALESSANDRIA HOSPITAL; RAGNAR LOCKER CALL TO “REPLACE
ALL IT STAFF”

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cybercrime Ransomware Healthcare/Medical

“The ‘SS. Antonio e Biagio e Cesare Arrigo’ is included in the Health System of the Piedmont Region and constitutes a
reference center for II and III level activities for the provinces of Asti and Alessandria, with a total reference population of
approximately 650,000 inhabitants.” 20

“We had recently reported that attacks on hospitals are on the increase and that even cyber policies are starting to
be complicated to quantify, when it comes to vital infrastructure for a country where people's lives are at risk. And
in fact, this time it is yet another Italian hospital that is hit.

It is the Hospital of Alexandria that is hit by the Ragnar Locker cyber gang. But unlike other cyber-attacks, the
criminals have not encrypted anything but report a catastrophic situation in the management of the hospital's IT
infrastructure.

This time, at least these cybercriminals had (as far as one can tell) a ‘peculiar ethics’, as they claimed the following:

‘Our team will never take measures that can put people's lives or health at risk. Our target is only companies,
who don't care about the privacy of the personal data they collect and store.’ But as we have often reported on
these pages, the ‘hospital’ situation is dramatic and something needs to be done, as the first incidents that see
human lives lost due to a ransomware attack are starting to show up.

Ragnar Locker also reports that ‘any security recommendations will be useless in this case. Our advice is to replace
the entire IT staff and have them proficiency tested and check them for budget waste as well.’ Furthermore, the
Gang also reports that the company did not even notice the violation, claiming that: ‘We asked some employees
about the incident during phone calls, but they replied that they had not seen any IT violations. Therefore, they
were asked to review the evidence in Live Chat, and we have repeatedly tried to clarify that hundreds of thousands
of personal data have been compromised due to their negligence.’

Below we report the entire post published by Ragnar Locker, which is interesting to read in its entirety, to understand
the state of IT security in Italian hospitals:

In this particular case we would like to say a few words.

First of all, we used the ‘zero file encryption’ policy, so nothing was encrypted in ‘AOAL's’ network. However, we
should say that we got full access, absolutely everywhere, to literally every virtual machine.

Also, not even 130 domain administrators were able to prevent about 1TB of data from leaking. If anyone else
were in this network, it would lead to dire consequences, all medical institutions could be paralyzed and that
would mean total collapse.

But our team will never take such measures, which can put people's lives or health at risk. Our target is only
companies, who don't care about the privacy of the personal data they collect and store.

Also, we have to say that any safety recommendations will be useless in this case. Our advice is to replace the
entire IT staff and have them proficiency tested and also check them for budget waste.

20
Translated from [Link]

7
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023
Even after leaving the readme files, we were still able to see through the remote desktop, as administrators
simply read the notes, we left without taking any action to secure the perimeter. They only tried to cover up the
incident but the executive malpractice compensation, as usual, will be paid by their customers instead of the
assigned employees.

We also asked a few employees about the incident on phone calls, but they said they hadn't seen any violations.
Therefore, they were asked to review the evidence in Live Chat, and we have repeatedly tried to clarify that
hundreds of thousands of personal data has been compromised due to their negligence.

You can find in the link below some evidence: personal information of customers, medical records, financial
reports, departmental reports and more

The full volume of data will be released if the management of ‘AOAL’ keeps ignoring this issue and fails to get in
touch with our team.” 21

The numerical distribution of tweets containing, “Alessandria hospital cyber” and “Alessandria ospedale cyber” are
shown below. 22

7. [NL] DUTCH POLITICIAN GEERT WILDERS' PARTY FOR FREEDOM (PVV) WAS THE TARGET OF
A CYBER ATTACK

CATEGORY TYPE SECTOR(S)

FOR INFORMATION Cybersecurity,
DoS/DDoS/RDoS Political organizations
Cyber-attack
“The Party for Freedom is a nationalist, right-wing populist political party in the Netherlands. Founded in 2006 as the
successor to Geert Wilders' one-man faction in the House of Representatives, it won nine seats in the 2006 general
election making it the fifth-largest party in parliament.” 23

“Most details about the 'massive' cyber-attack are currently missing. It is known that the PVV website was flooded
with large amounts of traffic from abroad on Tuesday [27/12/2022] around 11 pm. So much that the [Link] site was
unavailable for hours. This may indicate that someone has deliberately taken the site offline via a DDoS attack.

21
Translated from [Link]
it/
22
Source: OpenCSAM
23
[Link]

8
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023
A Distributed Denial of Service or DDoS attack (2) means that hackers try to paralyze a computer network or server
by flooding it with connection requests and data requests. Sooner or later the server will become overloaded, with
the result that it does not respond or responds very slowly. Not even on legitimate visitors looking for information.

According to Wilders, most internet traffic to [Link] in the past 24 hours came from Israel, Russia, the United States,
Ukraine and the United Kingdom. The website was operational again around 4:30 this morning. It is unknown why
hackers would want to take down the PVV website.

The PVV is not the only Dutch political party whose site has been taken offline by hackers. At the beginning of
2021, the Labour Party (PvdA) and party member Kati Piri were targeted by hackers for several weeks (3). For two
weeks, the website of the party and the Member of Parliament were bombarded non-stop with DDoS attacks. To
ensure that the sites were accessible to Dutch people, all internet traffic from abroad was temporarily blocked.

‘It appears that this is an attack in response to my support for democrats in Turkey and my call for the release of
political prisoners such as Selahattin Demirtas and Osman Kavala,’ Piri wrote in response to the DDoS attack.

Party chairman Nelleke Vedelaar confirmed the suspicion and called the DDoS attacks 'worrying and very
annoying'. ‘The fact that we are probably the victims of election interference by Turkish hackers is worrying and
very annoying. It was precisely now that our website could not be visited by people outside the Netherlands, while
they can now vote.’

The then Minister of the Interior and Kingdom Relations Kajsa Ollongren said it was unacceptable that digital attacks
would influence the election process. ‘It is very important that all political parties can do their normal things in the
campaign and that there are no disruptions, even via the digital route. I have always been alert to the possibility of
foreign interference. This is one way that can happen. We have to act hard against that,’ said the minister.” 24

The numerical distribution of tweets containing, “PVV DDoS” and “PPV cyber” are shown below. 25

8. [NL] SYSTEMS OF THE NOVA COLLEGE EDUCATIONAL INSTITUTION PARTLY RECOVERED

AFTER A CYBER ATTACK

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cyber-attack Not enough information Education/Academic

“The Nova College provides vocational education and secondary education as well as business courses for employees.
We are situated in the Amsterdam area (near Schiphol Airport). With our 1200 employees we provide courses for 12.500
student above the age of 16.” 26

“The systems of the Nova College educational institution have partly recovered from the cyber-attack that hit it hack

before the Christmas holidays. Because of the attack, it was decided to close the system to the outside world as a
precaution. As a result, the approximately 12,500 students and 1,200 employees of the educational institution had
no access to internal systems. For example, students could not request grades or timetables via the student portal.

24
Translated from [Link]
25
Source: OpenCSAM
26
[Link]

9
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

The investigation into the attack is still ongoing. A spokesperson could not tell the Financieele Dagblad what type
of attack it was . Via its own website , Nova College reports that students have been able to log in to the Nova
Portal again since last week and that the ICT system is partly available. Nova College has approximately 1200
employees and more than 12,500 students aged 16 and over. It has campuses in Beverwijk, Haarlem and
Haarlemmermeer and colleges in Hoofddorp, IJmuiden and Harlingen, among others.” 27

The numerical distribution of tweets containing, “Nova College” is shown below. 28

9. [PT, ES] FINANCIAL INSTITUTIONS IN PORTUGAL AND SPAIN TARGETED BY NEW RASPBERRY
ROBIN MALWARE

CATEGORY TYPE SECTOR(S)

FOR INFORMATION Watering hole, Credential harvesting,
Cyber-attack Finance sector/Banking
Malware

“’Raspberry Robin’ is a worm [that] relies on [Link] to call out to its infrastructure, often compromised QNAP
devices, using HTTP requests that contain a victim’s user and device names.” 29

“Hackers are using a new version of the Raspberry Robin worm to target Spanish and Portuguese financial and
insurance institutions, according to research published by Security Joes on Monday. This worm acts as a loader
for other malware — it infects computers via compromised USB devices and then spreads to other devices on a
victim’s network. The researchers did not mention which financial institutions in Spain and Portugal had fallen victim
to Raspberry Robin and what damage their networks suffered. In one case, Raspberry Robin operators used social
engineering techniques to trick users into downloading a malicious 7-zip file from their browsers. This file contained
a Windows installer designed to drop multiple modules.

In the second case, hackers used a malicious advertisement campaign hosted on a domain with ‘a bad reputation.’
In this case, the malicious archive was stored in a Discord server to avoid detection and contained encoded
JavaScript code that, upon execution, dropped a downloader protected with at least five layers of obfuscation. The
new version of the malware is more complex than previous ones, according to Security Joes. It allows its operators
‘to collect much more data about their victims’, said threat researcher Charles Lomboni.

The malware was also updated with new anti-analysis capabilities. ‘It seems that developers were busy adding
protections to their code to avoid security tools and the curious eyes of malware analysts,’ the report found. Hackers
also added an encryption layer, so victim data is no longer available in plain text but is encrypted with the RC4
cipher. The original malware strain was discovered in September 2021 and spreads via infected USB drives. It has
already been used to target organizations in Hungary, Germany, Russia and India – including those with ties to
technology and manufacturing – as well as telecom and government services organizations across Latin America,
Australia and Europe.

In July this year, Microsoft tied Raspberry Robin to Russian cybercrime syndicate Evil Corp, which was sanctioned
by the U.S. Treasury Department in December 2019. Evil Corp is also known for its connections to multiple
ransomware groups, including Bitpaymer, DopplePaymer, WastedLocker and Clop. The Raspberry Robin worm is

27
Translated from [Link] yberaanval?channel=rss
28
Source: OpenCSAM
29
[Link]

10
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023
part of a complex and interconnected malware ecosystem. In October alone, nearly 3,000 devices at almost 1,000
organizations received at least one Raspberry Robin payload-related alert, according to Microsoft.

‘While Raspberry Robin seemed to have no purpose when it was first discovered, it has evolved and is heading
towards providing a potentially devastating impact on environments where it’s still installed,’ according to a Microsoft
Security Threat Intelligence report in October. Researchers claim that Raspberry Robin will likely continue to
develop and lead to more malware distribution and cybercriminal activity. Security Joes urges other cybersecurity
teams to update their defence mechanisms with information about the latest version of Raspberry Robin.” 30

The numerical distribution of tweets containing, “Raspberry Robin” is shown below. 31

10. [PT] THE PORT OF LISBON, ATTACKED BY THE LOCKBIT RANSOMWARE GROUP

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cybercrime Ransomware Maritime sector

“The Port of Lisbon is the third-largest port in Portugal, mainly on the north sides of the Tagus's large natural harbour that
opens west, through a short strait, onto the Atlantic Ocean. Each part lies against central parts of the Portuguese capital
Lisbon. Due to its strategic site between Europe, Africa, and the Atlantic, it is one of the most accessed and used in
Europe.” 32

“The Port of Lisbon has disconnected its online services after having suffered a ransomware attack just on
Christmas Day. The incident has not affected its operational capacity, but users are still unable to access its main
website and there has been no activity since the attack.

After a few days, the LockBit group, linked to Russia, has claimed responsibility for the ransom attack. The
dangerous ransomware gang has set January 18 as the deadline to obtain payment. They ask for almost 1.5 million
dollars to download or delete the data obtained in their unauthorized intrusion.

LockBit added the port to its dark web leak website, where it often posts its catches. They threaten to make the
data they have stolen public if the institution does not respond to their financial request.

According to the ransomware group's post, the data they have obtained includes financial reports, company audits,
budgets, contracts, cargo, ship records, crew member information, customer personal data, and port
documentation, among other vital items. from the Port of Lisbon.

The victim has deployed security protocols to mitigate the attack. In addition, she is collaborating with the National
Cybersecurity Center and the Judicial Police who are monitoring the situation.

The port administration is also working with the competent authorities to minimize damage and protect the port's
systems, security and data, according to Information Security Buzz.” 33

30
[Link]
31
Source: OpenCSAM
32
[Link]
33
[Link]

11
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023
The numerical distribution of tweets containing, “Port of Lisbon cyber” is shown below. 34

11. [RO] DATABASE OF ROMANIAN HOSPITAL HELD FOR RANSOM BY HACKERS

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cybercrime Ransomware Healthcare/Medical

“The vision of the Management of the Recovery Hospital, St. Gheorghe,, is to build the image of a prestigious hospital,
which will become the best provider of recovery medical services in the north-east of the country” 35

“The Saint Gheorghe Recovery Hospital in Botoşani, in north-eastern Romania, was the target of a ransomware
attack in December, and medical activity is still impacted. Hackers demanded 3 Bitcoin for the decryption of the
data on the servers.

The attack is similar to the one in the summer of 2019, when four other hospitals in Romania were targeted. The
hackers apparently got through by using a remote connection accessed by one of the maintenance companies.
The hackers entered the system and encrypted the December database. After that, they left a message, in
English, asking for a ransom of 3 Bitcoin, or approximately EUR 46,400.

The attack was complex, and neither computer scientists from DIICOT, nor a series of analysts from Romanian
antivirus company BitDefender were able to decrypt the files, according to Monitorul de Botosani.

‘We have already notified the National Directorate of Cyber Security and DIICOT. An investigation has been
launched and we are waiting to see what happens. I cannot say more at the moment. It is certain that from
Monday we hope to resume medical activity at normal capacity,’ stated doctor Cătălin Dascălescu, the manager
of the Recovery Hospital.

With its database encrypted, the hospital cannot report the services performed in the last month of 2022. For this
reason, it cannot receive the money for these services. The Health Insurance House (CAS) representatives say,
however, that they are trying to find solutions so that the sanitary unit can pay salaries.” 36

The numerical distribution of tweets containing, “Romanian hospital ransom” is shown below. 37

34
Source: OpenCSAM
35
Translated from [Link]
36
[Link]
37
Source: OpenCSAM

12
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

13
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

Global
Incidents with a global impact to networks, systems, services and/or
population.

12. [GLOBAL] SLACK'S PRIVATE GITHUB CODE REPOSITORIES STOLEN OVER HOLIDAYS

CATEGORY TYPE SECTOR(S)

FOR INFORMATION Poor security
Exfiltration/ Data leakage/Breach Software supply chain
measures

“Slack is an instant messaging program designed by Slack Technologies and owned by Salesforce. Although Slack was
developed for professional and organizational communications, it has also been adopted as a community platform.” 38

“Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories. The
immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital
communities around the world.

BleepingComputer has come across a security incident notice issued by Slack on December 31st, [Link]
incident involves threat actors gaining access to Slack's externally hosted GitHub repositories via a ‘limited’ number
of Slack employee tokens that were stolen. While some of Slack's private code repositories were breached, Slack’s
primary codebase and customer data remain unaffected, according to the company. The wording from the notice
[1, 2] published on New Year’s Eve is as follows:

‘On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we
discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally
hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories
on December 27. No downloaded repositories contained customer data, means to access customer data, or Slack’s
primary codebase.’

Slack has since invalidated the stolen tokens and says it is investigating ‘potential impact’ to customers. At this
time, there is no indication that sensitive areas of Slack's environment, including production, were accessed. Out
of caution, however, the company has rotated the relevant secrets. ‘Based on currently available information, the
unauthorized access did not result from a vulnerability inherent to Slack. We will continue to investigate and monitor
for further exposure,’ states Slack's security team.” 39

According to Google Trends, the interest in the query, “slack breach” along with the interest by region is shown
below. 40

38
[Link]
39
[Link]
40
[Link]

14
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023
The numerical distribution of tweets containing “slack breach” is shown below. 41

13. [GLOBAL] RANSOMWARE GROUP PLAY TARGETS NUMEROUS ENTITIES WORLWIDE

CATEGORY TYPE SECTOR(S)

FOR INFORMATION Retail/Commerce, Energy,
Cybercrime Ransomware Technological, Software Supply
Chain
“Play ransomware (also known as PlayCrypt) is a new ransomware operation that launched in June 2022. The operation
has amassed a steady stream of victims across the world. Play has recently been in the news for attacking Argentina’s
Judiciary of Cordoba and the German hotel chain “H-Hotels”. Play’s attacks focus on organizations in the Latin American
region – Brazil being their primary target. They have also been observed deploying attacks on India, Hungary, Spain, and
the Netherlands.
Play is known for their big game hunting tactics, such as using Cobalt Strike for post-compromise and SystemBC RAT for
persistence.” 42

[AR/JP] Play Ransomware lists Argentina’s state-owned telecommunications company

ARSAT and Taiwanese chipmaker JMicron Technology
“Play Ransomware has posted a ransom warning on Empresa Argentina de Soluciones Satelitales Sociedad
Anónima, usually known simply as ARSAT, Argentina’s state-owned telecommunications company, along with
JMicron Technology, a Taiwanese integrated chip designing company.

Dark web researcher Dominic Alvieri tweeted the ransom note posted on the gang’s leak site. The post on 16
December gave a seven-day ultimatum for payment, with the threat to publish the data otherwise on 23- December.
The details of the data accessed were not disclosed.

ARSAT, owned by the Argentine Ministry of Federal Planning, Public Investment and Services (98%) and the
Ministry of Economy and Public Finances (2%), is the country’s telecom monopoly.

ARSAT currently controls major telecom and communication domains through the country wide digital terrestrial
television network TDA, Argentine geostationary communication satellite system SSGAT, and federal fibre optics
network RFFO.

The ransomware attack comes weeks after ARSAT signed an agreement with Paraguayan state-backed
telecommunication company Copaco for launching cross-border connectivity.

JMicron Technology is a Taiwanese manufacturer of integrated circuits, which produces controller chips for bridge
devices that connects multiple LANs together.

The Taiwanese semiconductor industry has been in the cybersecurity news since researchers found that China-
sponsored hackers compromised about seven chipmaker firms in a two-year campaign from 2018.

41
Source: OpenCSAM
42
[Link]

15
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023
Researchers at Taiwanese cybersecurity firm CyCraft traced the attackers to mainland China and found links to
state-sponsored hacker group Winnti, which also operate under aliases Barium and Axiom.” 43

[CH] Play ransomware group threatens large Swiss hotel chain with data leak
“The H-Hotels group, which also operates hotels in Switzerland, has until December 27 to pay the ransom.
Otherwise, the cybercriminals want to publish sensitive guest data. Criminals attacked the German hotel chain H-
Hotels in mid-December. The gang responsible, called Play, is now threatening to publish the stolen data –
including copies of hotel guests’ ID cards – on the dark web on their website.

According to a statement, the hotel company's IT security officers noticed the attack on December 11th. The
systems were immediately shut down and disconnected from the Internet. At that time, it was still said that there
was ‘no evidence that cybercriminals were able to steal relevant or personal data’. A few days ago, however, Play
published an ultimatum for the hotel chain, which 'Bleeping Computer' reported on. They would have until
December 27th to pay the ransom, otherwise the stolen data would be made public.
Image

They are working ‘closely and under high pressure with IT forensic scientists and the already informed data
protection authorities in order to keep the effects of the stolen data as low as possible,’ according to the latest
statement from H-Hotels on December 20th. It is currently unknown how high the ransom demand is.

H-Hotels operates 60 hotels at 50 locations in the DACH region, including 5 in Switzerland - in Zurich, Basel,
Solothurn, Engelberg and Locarno. The hotel chain currently employs 2,500 people. Ongoing hotel operations
and bookings in the hotels are guaranteed, but no e-mails can be answered due to the cyber-attack, according to
the message.” 44

[SE] Play ransomware claims to hack into an IT provider that specialises in the IT
environments for ships and adds customers as victims
“This time, it's Play's turn with another big supply chain attack

#Play team claims to hack into an IT provider (Sweden🇸🇸🇸🇸) that specializes in ships' IT environments and added the
customers as victims. I'm guessing they stole files or gained access to customer networks” 45

[US] Rackspace ransomware attack caused by a zero-day exploit

“Managed cloud hosting services company Rackspace Technology has confirmed that the massive Dec. 2
ransomware attack that disrupted email services for thousands of its small-to-midsized business customers came
via a zero-day exploit against a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server, aka
CVE-2022-41080.

‘We are now highly confident that the root cause in this case pertains to a zero-day exploit associated with CVE-
2022-41080,’ Karen O'Reilly-Smith, chief security officer for Rackspace, told Dark Reading in an email response.
‘Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part
of a remote code execution chain that was exploitable.’

CVE-2022-41080 is a bug that Microsoft patched in November.

An external advisor to Rackspace told Dark Reading that Rackspace had held off on applying the ProxyNotShell
patch amid concerns over reports that it caused ‘authentication errors’ that the company feared could take down
its Exchange Servers. Rackspace had previously implemented Microsoft's recommended mitigations for the
vulnerabilities, which Microsoft had deemed a way to thwart the attacks.

Rackspace hired CrowdStrike to help with its breach investigation, and the security firm shared its findings in a blog
post detailing how the Play ransomware group was employing a new technique to trigger the next-stage

43
[Link]
44
[Link]
45
[Link]

16
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023
ProxyNotShell RCE flaw known as CVE-2022-41082 using CVE-2022-41080. CrowdStrike's post did not name
Rackspace at the time, but the company's external advisor tells Dark Reading that the research about Play's
mitigation bypass method was the result of CrowdStrike's investigation into the attack on the hosting services
provider.

Microsoft told Dark Reading last month that while the attack bypasses previously issued ProxyNotShell mitigations,
it does not bypass the actual patch itself.

‘Patching is the answer if you can do it,’ the external advisor says, noting that the company had seriously weighed
the risk of applying the patch at a time when the mitigations were said to be effective, and the patch came with risk
of taking down its servers. ‘They evaluated, considered and weighed [the risk] they knew about’ at that time, the
external advisor says. The company still hasn't applied the patch since the servers remain down.

A Rackspace spokesperson would not comment on whether Rackspace had paid the ransomware attackers.” 46

According to Google Trends, the interest in the query, “play ransomware” along with the interest by region is shown
below. 47

The numerical distribution of tweets containing, “Play ransomware” is shown below. 48

46
[Link]
47
[Link]
48
Source: OpenCSAM

17
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023
14. [GLOBAL] GODFATHER BANKING TROJAN TARGETS FINTECH APPS AND CRYPTOCURRENCY
EXCHANGES

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cybercrime Trojan, Malware Finance sector/Banking

“The Godfather is designed to allow hackers to harvest login credentials for online banking and other financial services so
they can drain the accounts of victims. It has been in widespread use since October, says a report from security vendor
Group-IB.” 49

“UK financial institutions are among 400 victims of a banking trojan known as the Godfather, new research has
revealed. The victims have all been targeted over the last three months and comprise banking apps and
cryptocurrency wallets and exchanges.

[…]

The victims of the new banking trojan are spread across the globe. 17 of those targeted are in the UK, 49 are in
the United States, 31 were found in Turkey and 30 in Spain. The rest of the victims are in Canada, France, Germany,
Italy and Poland, according to the Group-IB report.

Former soviet countries have been so far absent in the list of victims of the Godfather, through a line in the code.
‘If the potential victim’s system preferences include one of the languages in that region, the Trojan shuts down,’
reads the report. This is a popular technique of Russian ransomware gangs who wish to only target citizens of
Western countries, indicating the creators of the trojan may be Russian.” 50

The numerical distribution of tweets containing, “Godfather banking trojan” is shown below. 51

15. [GLOBAL] TOYOTA, MERCEDES, BMW API FLAWS EXPOSED OWNERS’ PERSONAL INFO
[WARNING]

CATEGORY TYPE SECTOR(S)

FOR INFORMATION Poor security Exfiltration/ Data leakage/Breach, Transportation sector,
measures Warning Retail/Commerce
“A foundational element of innovation in today’s app-driven world is the API. From banks, retail and transportation to IoT,
autonomous vehicles and smart cities, APIs are a critical part of modern mobile, SaaS and web applications and can be
found in customer-facing, partner-facing and internal applications. By nature, APIs expose application logic and sensitive
data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for
attackers.” 52

“Almost twenty car manufacturers and services contained API security vulnerabilities that could have allowed
hackers to perform malicious activity, ranging from unlocking, starting, and tracking cars to exposing customers'
personal information.

49
[Link]
50
[Link]
51
Source: OpenCSAM
52
[Link]

18
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

The security flaws impacted well-known brands, including BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche,
Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis. The vulnerabilities
also affected vehicle technology brands Spireon and Reviver and streaming service SiriusXM.

The discovery of these API flaws comes from a team of researchers led by Sam Curry, who previously disclosed
Hyundai, Genesis, Honda, Acura, Nissan, Infinity, and SiriusXM security issues in November 2022. While Curry's
previous disclosure explained how hackers could use these flaws to unlock and start cars, now that a 90-day
vulnerability disclosure period has passed since reporting these issues, the team has published a more detailed
blog post about the API vulnerabilities.

The impacted vendors have fixed all issues presented in this report, so they are not exploitable now. The most
severe API flaws were found in BMW and Mercedes-Benz, which were affected by company-wide SSO (single-
sign-on) vulnerabilities that enabled attackers to access internal systems.

For Mercedes-Benz, the analysts could access multiple private GitHub instances, internal chat channels on
Mattermost, servers, Jenkins and AWS instances, XENTRY systems that connect to customer cars, and more. For
BMW, the researchers could access internal dealer portals, query VINs for any car, and retrieve sales documents
containing sensitive owner details. Additionally, they could leverage the SSO flaws to log in as any employee or
dealer and access applications reserved for internal use.

Exploiting other API flaws allowed the researchers to access PII (personally identifiable information) for owners of
KIA, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Roll Royce, Ferrari, Ford, Porsche,
and Toyota cars. In the cases of ultra-expensive cars, disclosing owner information is particularly dangerous as, in
some cases, the data includes sales information, physical location, and customer addresses.

Ferrari suffered from poorly implemented SSO on its CMS, exposing backend API routes and making it possible to
extract credentials from JavaScript snippets. An attacker could exploit these flaws to access, modify, or delete any
Ferrari customer account, manage their vehicle profile, or set themselves as car owners.” 53

The numerical distribution of tweets containing, “vehicle vulnerabilities” is shown below. 54

According to Google Trends, the interest in the query, “vehicle API” along with the interest by region are shown
below. 55

53
[Link]
54
Source: OpenCSAM
55
[Link]

19
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

20
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

Networks, systems, services considered important for the operational

objectives within the scope of the EU digital single market and the NISD
Mid sectors, but their control and assurance rely on non-EU institutional or MS
public or private authorities. Affected population in geographical areas in
proximity to EU borders.

16. [MD] MOLDOVAʼS GOVERNMENT HIT BY FLOOD OF PHISHING ATTACKS

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cyber-attack Spear phishing/Phishing Public administration/Government

“Phishing is when attackers attempt to trick users into doing 'the wrong thing', such as clicking a bad link that will
download malware or direct them to a dodgy website.” 56

“Moldova’s government institutions have been hit by a wave of phishing attacks — the latest cyber assault on the
country since it pledged support for Ukraine in its defence against Russia.

Hackers have sent more than 1,330 emails to accounts belonging to the country’s state services, Moldova’s
cybersecurity regulator announced on Thursday. In one campaign, emails contained a message about the alleged
expiration of the .md government domain and instructed users to follow a malicious link leading to a fake payment
page to renew it.

The phishing emails were sent on behalf of the website hosting company Alexhost, according to email samples
published on the Moldovan Information Technology and Cyber Security Service (STISC) website.

The company warned its users about the phishing campaign on Monday. ‘Someone is using the name of our
company without any consent,’ the statement said. ‘Alexhost takes this seriously and will act.’

Following the phishing incidents, the company said it would start asking its customers to check invoices before
making any payments.

Moldova’s cybersecurity regulator did not disclose whether the phishing campaigns were successful and how many
state institutions were affected. It is also not clear who is behind these attacks and if the perpetrators were nation-
state hackers or unaffiliated ransomware gangs. The regulator did not respond to The Record’s request for
comment.

Over the past year, Moldova has witnessed a sharp increase in cyberattacks, likely in connection to the country’s
support of Ukraine during the war with Russia.

In November, a newly registered website called Moldova Leaks released private Telegram conversations
purportedly involving prominent Moldovan political figures, sparking a political scandal.

The Moldovan president’s office claimed the content of the conversations was fake, but the leak indicates the
probable interference of Russian hackers and intelligence services in the country’s internal politics.

In October, hackers targeted 80 Moldovan state computer systems with distributed denial-of-service (DDoS)
attacks, though with limited success, according to STISC.

Earlier in August, the pro-Russian hacker group Killnet announced a week-long hacking campaign against Moldova.
Before that, Killnet announced cyberattacks on other countries supporting Ukraine in the war with Russia.

From the first days of the war, Moldova condemned Russia’s invasion of Ukraine and has provided shelter for
Ukrainian refugees. More than 645,000 Ukrainians have fled to Moldova as of December 12.” 57

The numerical distribution of tweets containing, “Moldova phishing” is shown below. 58

56
[Link]
57
[Link]
58
Source: OpenCSAM

21
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

17. [UA] CYBER ATTACK ON DELTA SYSTEM USERS USING ROMCOM/FATEGRAB/STEALDEAL

MALWARE

CATEGORY TYPE SECTOR(S)

FOR INFORMATION Exfiltration/ Data leakage/Breach,
Espionage Military
Malware

“Ukraine unveiled the Delta situational awareness system to NATO. It provides the military with various data about the
enemy and helps to coordinate forces on the battlefield.” 59

“On December 17, 2022, the Government Computer Emergency Response Team of Ukraine CERT-UA received
information from the Center for Innovations and Development of Defence Technologies of the Ministry of Defence
of Ukraine regarding distribution by means of e-mail (using a compromised e-mail address of one of the
employees of the Ministry of Defence), as well as messengers, a message about the need to update certificates
in the ‘DELTA’ system. At the same time, the attachments in the form of PDF documents imitate legitimate
digests of the ISTAR division of the ‘Zaporizhia’ OUV but contain a link to a malicious ZIP archive.

If you click on the link, the ‘certificates_rootca.zip’ archive containing the ‘certificates_rootCA.exe’ executable file
protected by VMProtect will be downloaded to your computer (the file was compiled and digitally signed on
12/15/2022).

After running the EXE file, several DLL files, also protected by VMProtect, and an ‘[Link]’ file simulating the
certificate installation process will be created on the PC. Subsequently, on the victim's computer, the RomCom
malware will be launched (it registers as a COM server instead of [Link]), which, in turn, will execute two
malicious programs: FateGrab (‘[Link]’; ‘ftp_file_graber.dll ‘), the functionality of which involves stealing files
with the following extensions: '.txt', '.rtf', '.xls', '.xlsx', '.ods', '.cmd', '.pdf', '.vbs' , '.ps1', '.one', '.kdb', '.kdbx', '.doc',
'.docx', '.odt', '.eml', '.msg', '.email' with their subsequent exfiltration using FTP, and StealDeal (‘[Link]’;
‘[Link]’), designed, among other things, to obtain and save data of Internet browsers in the corresponding
files, which will then be exfiltrated using RomCom using HTTPS protocol.

The activity is tracked under UAC-0142 but has similarities to threat cluster UAC-0132 (CERT-UA#5509).” 60

The numerical distribution of tweets containing, “Delta malware” is shown below. 61

59
[Link]
60
[Link]
61
Source: OpenCSAM

22
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

18. [UK] THE GUARDIAN RANSOMWARE ATTACK HITS WEEK TWO AS STAFF TOLD TO WORK
FROM HOME

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cyber-attack Not enough information Media sector/ Entertainment industry

“The Guardian is a British daily newspaper. It was founded in 1821 as The Manchester Guardian and changed its name in
1959. Along with its sister papers The Observer and The Guardian Weekly, The Guardian is part of the Guardian Media
Group, owned by the Scott Trust.” 62

“Long-standing British newspaper The Guardian has told staff to continue working from home and notified the
UK's data privacy watchdog about the security breach following a suspected ransomware attack before
Christmas.

The publication broke the news about the ‘serious IT incident’ on its systems on December 21, and said the
attack affected parts of the company's technology infrastructure. At the time, it told staff to work from home.
‘We believe this to be a ransomware attack but are continuing to consider all possibilities,’ The Guardian Media
Group Chief Executive Anna Bateson and Editor-in-Chief Katharine Viner told staff last month.

Since then, the newspaper has notified Britain's Information Commissioner's Office (ICO) about the breach.
‘Guardian News and Media has made us aware of an incident and we are making enquiries,’ an ICO
spokesperson told The Register.

According to the ICO's rules, organizations must notify the government agency within 72 hours of discovering a
ransomware attack. Also, this week, The Guardian confirmed that most of its staff in the UK, US and Australia will
continue working from home until at least January 23.

‘As we previously announced, the Guardian's systems have been subject to a serious network disruption,’ a
spokesperson told The Register. ‘We have been able to keep publishing our journalism digitally and in print, but a
number of key IT systems have been affected. The work to restore our systems fully is ongoing and will take
some weeks. We have asked most staff to work from home for the next three weeks to allow our technical teams
to focus on essential technical work.’” 63

The numerical distribution of tweets containing, “Guardian cyber-attack” is shown below. 64

62
[Link]
63
[Link]
64
Source: OpenCSAM

23
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

24
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

Networks, systems, services which if influenced the impact will prove critical
for the operational objectives within the scope of the EU digital single market
Far and the NISD sectors. Control and assurance of those networks and systems
lies beyond EU institutional or MS public or private authorities. Affected
population in geographical areas far from the EU borders.

19. [MY] 250,248 UNIFI MOBILE CUSTOMERS AFFECTED BY DATA BREACH, SAYS TELEKOM
MALAYSIA BHD

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cybersecurity Exfiltration/ Data leakage/Breach Telecommunications

“Telekom Malaysia Berhad (TM) is a Malaysian telecommunications company founded in 1984. Beginning as the national
telecommunications company for fixed line, radio and television broadcasting services, it has evolved to become the
country's largest provider of broadband services, data, fixed line, pay television and network services.” 65

“Telekom Malaysia Bhd (TM) says 250,248 Unifi Mobile customers have been affected by a data breach on Dec
28. They comprised both Unifi Mobile's individual customers as well as small and medium enterprises (SMEs).

The telco said the type of breached data involved customer names, phone numbers and emails. No other
information was breached. ‘TM confirms that the breach has been contained and has taken steps to minimise the
potential impact to these 250,248 customers.

‘The specific customers affected have been notified. Customers who have not received any notification are not
impacted. ’TM has also reported this matter to the relevant authorities (National Cyber Coordination and
Command Centre, Department of Privacy and Data Protection and the Malaysian Communications and
Multimedia Commission),’ it said in a statement today.

TM said while additional security measures had been put in place to isolate the risk and protect customers, they
did not experience any service disruptions in this [Link] said it was closely monitoring the situation and was
conducting additional assessments. ‘We advise customers to take extra precautions when receiving
communications from unknown parties, as well as to secure their online information at all times. The privacy and
security of TM's customers remain our highest priority and we take such matters seriously.’

‘We will continue to strengthen and ensure our data security framework, policies, systems and processes are
continuously benchmarked against Bank Negara Malaysia's Risk Management in Technology standard and
ISO27001, as well as other global standards to prevent such occurrences,’ it said.” 66

The numerical distribution of tweets containing, “telekom malaysia breach” is shown below. 67

65
[Link]
66
[Link]
67
Source: OpenCSAM

25
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023
20. [NK] LAZARUS APT USES PHISHING DOMAINS TO TARGET NFT INVESTORS

CATEGORY TYPE SECTOR(S)

FOR INFORMATION
Cybercrime Miner/Crypto, Spear phishing/Phishing Finance sector/Banking

“Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North
Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them
between 2010 and 2021.” 68

“The North Korea-based Lazarus threat actor group has been linked with a massive phishing campaign targeting
NFT investors. The phishing campaign which is active for the last seven months is only the tip of the iceberg,
according to researchers.

It was found that the attackers set up nearly 500 decoy sites with malicious Mints. These sites impersonate well-
known NFT marketplaces such as OpenSea, X2Y2, and Rarible to dupe victims. Besides, one of these sites
pretends to be a project associated with the World Cup. During the early stage of the campaign, the APT
monitored and recorded user data via a domain name ‘thedoodles[.]site.’

The attack begins by sending out spam emails laden with links to legitimate-looking phishing pages that look
legitimate. Once an investor clicks on the link, they are taken to a fake site that has the same branding and even
the same layout. The site asks for personal information and investment details from victims, which are later
transferred to the attackers. This enables the Lazarus group to achieve complete access to victims’ assets,
including their approve records and sigData.

Morphisec Labs observed a new wave of NFT-001 attacks a couple of months ago that delivered Remcos RAT in
the first stage and Eternity Stealer in the second stage. The campaign was designed primarily to target users in
crypto and NFT communities on Discord and other forums. In another incident, the hackers dropped malicious
NFTs pretending to be Phantom security updates to target Solana cryptocurrency owners. The ultimate purpose
of the attackers was to steal funds from users. In July, crooks stole 314 NFTs and $375,000 worth of crypto
assets in one of the biggest hacks ever by hacking the popular Premint NFT.

As researchers continue to monitor Lazarus' activities, it is advised that NFT users should strengthen their
understanding of cybersecurity and enhance their ability to detect phishing attacks.” 69

According to Google Trends, the interest in the search query, “Lazarus group” along with the interest by region is
shown below.

The numerical distribution of tweets containing “Lazarus group” is shown below. 70

68
[Link]
69
[Link]
70
Source: OpenCSAM

26
OSINT REPORT
Covering: 19 December 2022 – 09 January 2023 | TLP GREEN |Publication: January 10, 2023

27