Cybersecurity threatscape: Q2 2023

The number of incidents rose by 4% compared to the previous quarter and by 17% against Q2 2022. Successful cyberattacks on organizations most often resulted in leakage of confidential information (51%) and disruption of operations (44%). Targeted attacks accounted for 78% of the total. Ransom cyberattacks are still on the rise: the number of incidents grew by 13% compared to Q1. On the flip side, ransomware groups tend to threaten their victims with publishing the stolen data, rather than ask to pay a ransom for data decryption. We note that cybercriminals use spyware in attacks on individuals more frequently. The number of crimes against blockchain projects increased as well. Q2 saw numerous major leaks of users' personal data and large-scale attacks that exploited vulnerabilities.

Attack consequences

The consequences of attacks in Q2 were varied, with successful cyberattacks affecting both small and large businesses, as well as whole cities and districts. Most often, cyberattacks resulted in the bad actors obtaining confidential information and business operations being disrupted. A ransomware attack on the U.S. megalopolis of Dallas is an example of a cyberattack impacting a city. The attack disrupted city services: police had to manually dispatch teams to emergency calls, some jury trials were postponed, and water utilities could not process online payments.

Attack consequences (percentage of attacks)
Figure 4. Attack consequences (percentage of attacks)

The top five attacks in Q2 to cause a negative impact and wider repercussions

  • A Cyberattack on Bitmarck, a major German ISP, forced the company to shut down all of its internal and client-facing systems. The downtime negatively affected mandatory health insurance organizations that used Bitmarck's IT services. Among the disrupted services were access to patient health records, processing of electronic sick leaves, centralized processing of companies' data, submission of monthly statistical reports, and digital communications.
  • The hospitals in Idaho Falls and Mountain View, as well as their partner clinics were attacked by ransomware, forcing some of them to stay closed. Idaho Falls confirmed that several ambulances were redirected to neighboring hospitals. It took the clinics more than a month to fully restore their processes.
  • Large-scale DDoS attacks on Microsoft applications caused failures on the Outlook, OneDrive, and Azure websites. Customers who saw service disruptions were unable to use the email or cloud services. As many as 18,000 users could not get access to Outlook as the attack reached its peak. The attacks were launched one at a time for three days by the hacktivist group Anonymous Sudan.
  • LockBit demanded that TSMC, Asia's highest-valued company and one of the world's largest manufacturers of semiconductors, pay a ransom of $70,000,000 to prevent its data from being published. The data had been leaked from a misconfigured server belonging to the IT equipment vendor Kinmax Technologies.
  • The Russian company Infotel, which provides integration of banks and companies with the Bank of Russia automated digital communications system, faced a cyberattack by the hacktivist group Cyber.Anarchy.Squad. The attack left several major client banks cut off from the national banking systems. It took the telecommunication operator 32 hours to restore service.

Attacks that led to leaks of confidential data mostly aimed to steal personal data (53%) and trade secrets (18%) from organizations. Attacks on individuals largely aimed at stealing their credentials (43%).

Types of data stolen (in attacks on organizations)
Figure 5. Types of data stolen (in attacks on organizations)
Types of data stolen (in attacks on individuals)
Figure 6. Types of data stolen (in attacks on individuals)

The most notable leaks in Q2

  • Some of the notable victims of the Cl0p attack on MOVEit Transfer were Louisiana's Office of Motor Vehicles (OMV) and the Oregon Department of Transportation (ODOT). The leak affected 3,500,000 holders of IDs and driver's licenses in the State of Oregon, and 6,000,000 in Louisiana.
  • Affected customers of Harvard Pilgrim Health Care filed four class-action lawsuits against the company, accusing it of failure to ensure the security of personal and health data. In April, the organization was hit by a malware attack that resulted in 2,500,000 individuals' data being leaked.
  • Personal details belonging to the customers of 12 Russian companies were leaked online for three days: full names, phone numbers, email addresses, and in certain cases, even password hashes. The list of the companies featured the Auchan, Tvoy Dom, and Leroy Merlin retail chains, Gloria Jeans, book24.ru, Askona, Bukvoed, Tvoe, and Chitai-Gorod online stores, cooking website edimdoma.ru, AST and Eksmo publishers, and Roza Khutor mountain resort. Auchan, Gloria Jeans, book24.ru, Askona, and the Eksmo-AST group confirmed the leaks.
  • After negotiations over a $4,000,000 ransom fell through, The Money Message ransomware group published Intel Boot Guard private keys and firmware keys stolen from hardware company MSI. The extortionists claimed to have stolen 1.5 TB of MSI data. The leak affected the entire Intel ecosystem and posed a direct threat to MSI customers. The keys could be used by an attacker to create malicious firmware updates, and then deliver these with the help of BIOS and MSI update tools.
  • Medical treatment and laboratory diagnosis data on 2,500,000 Enzo Biochem patients was compromised during a ransomware attack. Some of the data was wiped from the company's systems altogether. Enzo Biochem did not suspend service even as its internal business processes were disrupted while it worked to limit the scope of the attack. Enzo Biochem, along with its Enzo Clinical Labs affiliate, were hit with four class-action lawsuits that accused the company of failing to ensure sufficient security of the client data it stored.

Statistics

Number of incidents in 2022 and 2023 (by quarter)
Figure 7. Number of incidents in 2022 and 2023 (by quarter)

Chart
78% of attacks were targeted.

Categories of victim organizations
Figure 8. Categories of victim organizations

Chart
15% of attacks were aimed at individuals.

Attack targets (percentage of attacks)
Figure 9. Attack targets (percentage of attacks)
Attack methods (percentage of attacks)
Figure 10. Attack methods (percentage of attacks)
Types of malware (percentage of malware attacks)
Figure 11. Types of malware (percentage of malware attacks)
Malware distribution methods in attacks on organizations
Figure 12. Malware distribution methods in attacks on organizations
Malware distribution methods in attacks on individuals
Figure 13. Malware distribution methods in attacks on individuals
Target OS in malware attacks (percentage of attacks)
Figure 14. Target OS in malware attacks (percentage of attacks)

About the report

This report contains information on current global information security threats based on Positive Technologies' own expertise, investigations, and reputable sources.

We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of hacker activity are unable to calculate the precise number of threats. Our research seeks to draw the attention of companies and ordinary individuals who care about the state of information security to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.

This report considers each mass attack (for example, phishing emails sent to multiple addresses) as one incident, not several. For explanations of terms used in this report, please refer to the Positive Technologies glossary.

Get in touch

Fill in the form and our specialists
will contact you shortly