Cyber Threat Report | April 2022


</Reports </ Cybersecurity </ Cybercrime </ News


With the Covid-19 pandemic and the current war between Russia and Ukraine, the demand for cybersecurity worldwide continues to rise. 

More and more businesses are realizing how important the digital identity - both for individuals and for organizations - has become.

Thank you to all organizations out there, who recognize that cybersecurity is not only a necessity but should be everyone’s responsibility and priority.

In our AMATAS April 2022 news report, find out more about:

  • The steps Microsoft has taken to disrupt cyberattacks from a supposed Russian actor targeting Ukraine
  • Latest cyberattacks on organizations led by Conti ransomware and LAPSUS$ groups
  • RaidForums - one of the world’s largest hacker forums - is seized in international Operation TOURNIQUET
  • Updates regarding the largest DeFi hack of $540 million
  • Google’s latest security precautions

The war between Russia and Ukraine: Updates

Microsoft seizes seven domains, believed to be owned by Strontium, a Russian GRU-connected actor

Microsoft obtained court orders to take control of the domains that are thought to be used by Strontium, or APT28, Sofacy, Fancy Bear, and Sednit. 

They believe that attackers used the domains to target Ukrainian media organizations, government institutions, and foreign policy think tanks in the U.S. and Europe.

The U.S. Department of Justice removes malware deployed by the Russian Federation’s Main Intelligence Directorate (GRU)

The court-authorized operation disrupted a global botnet of thousands of infected network hardware devices believed to be controlled by Sandworm – a cyber-unit of the GRU Russian military intelligence service.

More updates

  • Meta removes government-linked Russian and Belarusian social media accounts conducting cyber espionage operations against Ukrainians
  • OldGremlin ransomware gang target Russian companies with two phishing campaigns

Cybercrime Breaking News

Conti ransomware targets Costa Rican government-operated systems

Several government agencies were targeted, and one of the attacks took down the administrative systems of the government agency managing the electricity in Cartago. The country's president, Carlos Alvarado Quesada, told Reuters that the attacks were meant to ‘threaten the stability of the country in a transition situation’ and that the country won't pay the ransom.

  • Other recent victims of the ransomware group include Snap-on - the cyberattackers claim to have stolen 1 gigabyte of sensitive data; and Panasonic Corp - the threat actors claim that they have stolen more than 2.7 gigabytes of data from Panasonic Canada

Microsoft Threat Intelligence Center Insights on DEV-0537 or LAPSUS$ Group Activities

In the past month, the Microsoft Security team has been focused on understanding the tactics and targets of DEV-0537 (also known as the  LAPSUS$ group) to help organizations minimize the impact and/or stop the attack before they happen. Our March newsletter looked at a detailed timeline of the group's activities - LAPSUS$ is infamous for targeting various global organizations (including government, technology, and media) as well as individual cryptocurrency accounts.  Find out Microsoft's official 6 recommendations on how to protect your organization's data against a DEV-0537 intrusion, or, alternatively, enhance your team's security awareness and practices with our approach.

Okta CSO Statement: two customers were breached by LAPSUS$ group

In the latest statement issued by Okta regarding the January 2022 breach, the organization's Chief Security Officer confirms that two customers were breached. Initially, Okta released information that this affected 366 customers whose data was accessed by the Sitel customer support engineers within the time frame. Okta has terminated its relationship with Sykes/ Sitel as the threat actors used a single Sitel workstation to access resources.

  • T-Mobile, the U.S. telecom service, is the latest victim of a LAPSUS$ breach - with hackers gaining access to over 30,000 source code repositories and the key to an internal customer account management application

More April updates

  • FBI flash report details indicators of compromise (IOCs) that are associated with BlackCat/ALPHV attacks. The report confirms that the Ransomware-as-a-Service has ‘compromised at least 60 entities worldwide’ between November 2021 and March 2022
  • SuperCare Health/ SuperCare disclose that data of over 300,000 individuals may have been breached in cyberattacks that took place in July 2021
  • GitHub warns about threat actors using stolen OAuth user tokens to access and download organizations’ private data 
  • Operations of one of the world’s largest wind turbines manufacturer, Nordex Group, are disturbed as the organization shuts its systems down for a brief period of time in response to a cyberattack, that was discovered in early stages

Cybersecurity Justice

  • Operation TOURNIQUET: US and European law enforcement seize one of the largest hacker forums ‘RaidForums’ and arrest its chief administrator and two of his accomplices
  • German police seize more than $25 million worth of Bitcoin in the takedown of Hydra - the world’s largest dark web marketplace, that is of Russian origin
  • Google released a new Data Safety program for Android apps on the Play Store with information about third-party data collection. At the beginning of the month, Google also removed more than a dozen apps after discovering that they contained malicious code used to harvest user’s data, including email addresses and telephone numbers
  • The U.S. Department of State offers rewards of up to $5 million for information that leads to North Korean threat actors, who engage in ‘money laundering, the exportation of luxury goods to North Korea, specified cyber-activity and actions that support WMD proliferation’

FinTech Updates

  • At least $13 million were stolen from the DeFi platform Deus Finance by threat actors said to be using flash loan attacks
  • The U.S. Treasury’s Office of Foreign Assets Control attributes one of the largest DeFi hacks (worth around $540 million of the platform Ronin), to North Korean APT group Lazarus
  • Cyberattackers steal about $4.67 million in cryptocurrency from DeFi platform Ola

AMATAS will continue to monitor this space and deliver salient information regularly. 

Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website Fully Managed Cybersecurity Services | AMATAS or by e-mailing

As always – be vigilant, stay alert, and think twice.


Ralitsa Kosturska in AMATAS