Tag Archives: Incident

How was Ukrtelecom hacked?

One of the largest Ukrainian telecom-providers, Ukrtelecom, suffered in the powerful attack on March 28, 2022. It was just an incident during the hybrid warfare between Russia and Ukraine, that we are always trying to inform you about the latest situations.

Ukrtelecom’s CIO Kyrylo Honcharuk spoke about the details of the Ukrtelecom attack:

Ukrtelecom as part of Ukraine’s vital information infrastructure is in the focus of hackers’ attention all the time. We’ve been observing the increase in the number of cyberattacks against our infrastructure since the very beginning of the invasion. The attack on March 28 was powerful and sophisticated,

Officials mentioned that the discovery phase of the attack launched from the Ukrainian territory recently temporarily occupied by the Russians. The hackers used for discovery a compromised account of the company’s employee.

Once they gained access, the hackers then tried to disable Ukrtelecom’s equipment and servers to gain control over its network and equipment. There was also an attempt to change the passwords of employees’ accounts and of logins to access equipment and firewalls. With the attack, Ukrtelecom temporarily limited the access to its services for private and business clients. The traffic in the network fell to 13% from the regular regime of the network’s functioning. The Internet access for the clients started to be restored late on March 28. The following day, Ukrtelecom services became available to almost all its users.

The investigation continues. We saw several attacks on Ukraine’s organizations related to Russian invasion, however, this attack cannot be attributed to any hacker group. We expect to see more attacks on Ukrainian targets including government, energy and financial organizations.

Latest Statement about Okta Incident and Lapsus$

Everything started with a post of Lapsus$ Telegram group including screenshots of Okta’s admin panel. We shared the news as asking whether Okta hacked?

An update about the incident came from David Bradbury, the CSO of Okta as “the Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.

In the continuation, Okta accepts an incident like “between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday” and claiming the impact is limited to the access that support engineers have and no customers were affected.

Against this announcement, Lapsus$ made some announcements too about the incident and the post of Okta. Lapsus$ also shared the link of the Security & Privacy Document of Okta located in okta.com and claimed that they found AWS keys in Slack.

Okta Hacked?

Since December, we are reading about the actions of Lapsus$. Samsung, Nvidia, and Ubisoft were some of their victims. Analysts suspecting that some of the members of the group are from South America, and some of them from Europe.

Lastly, the group shared a screenshot on their Telegram channel that showing they reached to the console of Okta.

Okta announced that they started an investigation after the hacker group shared the screenshot.

We will provide updates as more information becomes available” said officials of Okta.

Okta is a major Single Sign-On provider and a hack can effect thousands of other companies. If verified, an attack on Okta would represent a major attack on digital supply chains. It can cause more damage than Solarwinds incident since most major applications of the customers of Okta are already placed in their Okta interface and has a single sign-on authentication.

Thousands of Keys Leaked from Samsung’s Source Code

Another victim of Lapsus$ was Samsung in recent days. We know that about 190 GB of data stolen with the leakage of Samsung by Lapsus$.

According to the analysts (mentioned as GitGuardian analysts), leaked Samsung source code showed that it contains thousands of private keys, and some of them will be very useful to cyber criminals.

Analysts have identified more than 6,600 private keys, usernames and passwords, AWS, Google and GitHub keys in leaked data. Meanwhile, they also mentioned that about 90% of the keys seems to used in internal systems and so it seems very difficult to use them for attackers.

While Lapsus$ – seems like have members both from South America and Europe – initially was attacking only Portuguese institutions, it seems their sights have expanded and in a short time, their name mentioned with NVidia, Samsung and Ubisoft incidents.

Countdown for Bridgestone

Last month, Birdgestone faced a cyber attack and were shut down factories on February 27. Power outages are reported at factories in Iowa, Illinois, North Carolina, South Carolina, Tennessee and Canada for long time after the incident.

After the incident, LockBit ransomware claimed responsibility for it. It is mentioned that data leaked by hackers and started a timer for the payment of the ransom and threatened to publish the data they stole from the company if the money was not transferred on time.

While wondering whether this event is related to the ongoing Russia-Ukraine tension, the developments show that the event is completely focused on financial gain.

Meanwhile, “For us it is just business and we are all apolitical. We are only interested in money for our harmless and useful work. All we do is provide paid training to system administrators around the world on how to properly set up a corporate network. We will never, under any circumstances, take part in cyber-attacks on critical infrastructures of any country in the world or engage in any international conflicts” post published by the group.

“Many people ask us, will our international community of post-paid pentesters, threaten the west on critical infrastructure in response to cyber aggression against Russia?
Our community consists of many nationalities of the world, most of our pentesters are from the CIS including Russians and Ukrainians, but we also have Americans, Englishmen, Chinese, French, Arabs, Jews, and many others in our team. Our programmers developers live permanently around the world in China, the United States, Canada, Russia and Switzerland. Our servers are located in the Netherlands and the Seychelles, we are all simple and peaceful people, we are all Earthlings.”

Samsung Confirms Incident

Samsung has confirmed the leak of the company’s internal data, including source code associated with Galaxy smartphones.

According to our initial analysis, the leak includes source code related to the operations of Galaxy devices, but does not include personal information of our customers and employees” Samsung officials told Bloomberg. Officials also added they has put in place new security measures and not expecting a similar incident in future.

The LAPSUS$ group claimed to have stolen 190 GB of data from Samsung, including the source code for trusted applets, algorithms for biometric authentication, bootloaders, and confidential data from Qualcomm chip supplier.

Firstly, LAPSUS$ shared a piece of data claiming leaked from Samsung and then, Samsung confirmed the data leakage.

Meanwhile, in RAID forum – an underground hacking forum, Admin portal credentials shared by threat actors.

Not too long, LAPSUS$ also stole 1TB of data from NVIDIA.