It may be the shortest month, but February brought no shortage of bad behavior by cybercriminals.
In our latest cyber attack roundup of the ever-thriving world of cybercrime, we look at a disturbing theft from one of the United States’ most secretive government organisations, a long-running ransomware tie-up for a major media company, a never-ending nightmare for a security-minded internet company, and the latest of many breaches for one of the backbones of the modern web.
February’s Most Notable Cyber Attacks
Law Enforcement Info is at Large After US Marshals Hack
We’ve seen time and again that governmental organisations who deal with security and sensitive information are not always the best at keeping that data secure. A February ransomware attack on the U.S. Marshals Service is one of the more unsettling examples to date, considering the possible nature of the data involved. The 17 February breach involved what the USMS called a “stand-alone USMS system” containing “law enforcement sensitive information.”
The Marshals Service specified only that the exposed data may include “returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.”
That statement leaves things fairly open to speculation, leading at least one outlet to muse that USMS activities include everything from providing security for federal judges and facilities to apprehending criminals and fugitives to operating the witness protection program. To put it bluntly, that’s exactly the type of data you never want to see fall into the wrong hands, and now it may have.
Location: Arlington, Virginia
Date: 17 February 2023
Type of attack: Ransomware
Data exposed: “Law enforcement sensitive information”
Takeaway: Even an organisation as nominally secure as the U.S. Marshals Service is subject to the machinations of bad actors online. Without knowing more details of the attack, it’s difficult to say what, if anything, might have been done to prevent the breach. But no matter the cause, the damage is done and some extremely vulnerable people’s safety may be jeopardised as a result.
Hackers Take Dish Network Support Off the Air
Temporary disruptions in broadcast services are nothing new to satellite TV subscribers, but a late February outage seems to have happened for a relatively new reason.
A February 23 cybersecurity incident shut down internal networks and phone lines at Dish Network, including customer service lines. While TV broadcasts were not affected by the breach, anyone experiencing disruptions in their service for other reasons was unable to access standard support channels. Customers of Dish and its streaming Sling TV service also had issues with accessing accounts and submitting online payments.
The incident’s scope became clearer on 27 February, when Dish acknowledged that “certain data was extracted” by the thieves in what was later confirmed to be a ransomware attack. It is not clear exactly what that data was, but given the functions impacted, it quite possibly could have included personally identifiable information. The outages had not been fully cleared up a week later, and Dish Network stock dropped by 6% as reports swirled about the company’s lack of internal transparency around the attack.
Location: Englewood, Colorado
Date: 23 February 2023
Type of attack: Ransomware
Data exposed: Internal networks, unknown customer data
Takeaway: This appears to be another instance of an organisation attempting to handle its own damage control and only making its optics look worse.
Dish Network’s alleged reticence to disclose the nature of the outages to its employees and customers is a bad look that only worsens with every day that the impacted services remain offline. It’s another reminder that transparency is usually the best policy when it comes to cybersecurity.
The Hits Keep On Coming for GoDaddy
As one of the world’s most visible web hosting companies, GoDaddy also stands as one of the world’s most desirable targets for hackers. Even so, the frequency with which GoDaddy has suffered significant cyberattacks over the past several years is a growing cause for concern amongst cybersecurity experts.
The latest example became public in a February filing with the U.S. Securities and Exchange Commission that revealed a multi-year breach that ran from 2020 through December 2022, in which hackers accessed GoDaddy source code and login credentials for both customers and employees.
The criminals then used that access to install malware on customer websites, redirecting visitors to bogus domains in a widespread string of “watering hole” attacks. The latest divulgence has drawn fierce criticism of GoDaddy from customers and industry experts alike.
Location: Tempe, Arizona
Date: 2020-2022
Type of attack: Watering hole attack
Data exposed: Malware installed on an unknown number of websites
Takeaway: While a web host as prominent as GoDaddy is faced with a uniquely daunting set of security challenges, the frequency of breaches the company has suffered in recent years can’t help but impact consumer confidence.
Whether or not these attacks were avoidable, public perception is powerful, and it’s all too easy for customers to draw the conclusion that GoDaddy’s security measures have been troublingly lax for a long time.
The breadth of attacks on display in February provides even more evidence that no organisation is immune to cybercrime, and that a breach which looks bad at first glance can get even worse without immediate action. An ounce of prevention beats a pound of cure. There’s no better way to get out in front of cyberattacks than investing in a robust cybersecurity system from Arctic Wolf. Contact us today to arrange a free demonstration of our solutions.
