Skip to content

Illustration by iStock; Security Management

The 5 Scariest Hacker Groups of 2022

How do you fix a cybersecurity vulnerability in your digital jack-o-lantern? With a pumpkin patch, of course!

It’s the Halloween season once again, and when the leaves change and the weather gets chilly, you know it’s time to turn up the frights—in real life and in the digital space. As they say, everyone is entitled to one good scare around All Hallow’s Eve, especially after the data breaches and security fails that some of the world’s top companies have gone through in 2022.

This year, maybe more than ever, we’ve seen that hacking groups have no scruples and are willing to disrupt any organization—no matter if they are a nonprofit or provide life-saving healthcare services.

Let’s take a look at some of the scariest hacking groups that security teams need to know this year.

1. Lapsus$

“This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others,” according to an Uber security update after a major data breach earlier this year.

Hackers used social engineering tactics to take advantage of an Uber contractor’s malware-compromised personal device by approving a two-factor login request. The hackers—who also breached video game company Rockstar Games, illegally downloaded footage of the upcoming title Grand Theft Auto VI, and leaked 90 video clips from the unreleased game online—gained access to internal Uber privileges including Google Docs and Slack. No public-facing systems, user accounts, or any sensitive card, financial data, or trip information was compromised, Uber said.

2. Conti

Though it allegedly shut down in May 2022, the remnants of the Conti ransomware gang breached the systems of the Costa Rican government, launched Distributed Denial of Service (DDoS) attacks on Cobalt Strike servers, and attacked the Ukrainian government, as well as other Ukrainian and European humanitarian and nonprofit organizations amid Russia’s war in the region. The group declared support for Russia earlier in the year before walking back its full support. 

Google's Threat Analysis Group noted in a blog that Conti phishing emails were sent out impersonating the National Cyber Police of Ukraine and contained a link that urged targets to download an update for their operating system. At the same time, the attack itself included the deployment of banking Trojan IcedID to steal personal data.

“[The group’s] activities are representative examples of blurring lines between financially motivated and government-backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests," wrote Google software developer Pierre-Marc Bureau in the post.

3. Lazarus Group

North Korean state-linked hacker collective Lazarus Group has had quite the year, and that’s before the U.S. government confiscated $30 million worth of cryptocurrency it stole in a token-based, play-to-earn game scheme in early 2022. Between February and July 2022, Lazarus targeted a series of energy providers by exploiting vulnerabilities in VMWare Horizon and malware to gain initial access to the organizations, primarily in Canada, Japan, and the United States.

The campaign was partially disclosed by a handful of security firms, but a technical report says Lazarus’s method was to “establish initial footholds into enterprise networks, followed by the deployment of the group's custom malware implants, VSingle and YamaBot. In addition to these known malware families, we have also discovered the use of a previously unknown malware implant we’re calling ‘MagicRAT.’”

The primary goal of the attack “was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives…targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

4. LockBit

LockBit has established a steady pace of attacks this year, bringing in around 70 victims each month by focusing primarily on extortion tactics. 

According to a leak site data analysis by Palo Alto Networks Unit 42, LockBit accounted for 46 percent of all ransomware-related breach events for the first quarter of 2022. In June 2022 alone, the group has been tied to 44 attacks, making it the most active ransomware strain we’ve seen this year.

The group also allegedly demanded $10 million in ransom money from the Center Hospitalier Sud Francilien in France after the group disrupted the hospital’s business software, which left it unable to use several medical systems in August 2022. LockBit itself did not take responsibility for the attack. An affiliate of the ransomware-as-a-service (RaaS) operation could be responsible for the attack, even though it is against LockBit’s RaaS terms of service to attack a healthcare provider. 

“The IT system at the hospital centre in Corbeil-Essonnes has been virtually paralysed,” France24 reported at the time. “Non-critical services have had to be directed elsewhere, and staff are now working with limited resources.”

5. REvil

Shut down after pressure from the Biden administration in the wake of a major ransomware attack on information technology management software provider Kaseya and an $11 million extortion attempt on global food processing company JBS, REvil was reanimated like a zombie in August 2022. This was after the group stole gigabytes of financial data from a Chinese appliance company called Midea Group.

The shutdown was thought to be tied to ongoing diplomatic talks between Russia and the United States, though some thought it was a simple hacking tactic to go dark and cover its footprints following the initial major attack. Russia claimed to seize 426 million rubles (£4 million or $6.9 million) from the group, including about £440,000 worth of cryptocurrency, but REvil is still going strong.

What Organizations Can Do to Stop Security Breaches

While most attacks from the groups mentioned above were characterized by the serious digital damage they wrought, some groups still made an impact  after they allegedly disbanded or paused activity; others struck noteworthy names, including big tech companies and large government entities. So, what steps can organizations take to ensure they don’t fall victims to these nightmares on enterprise street?

Maintain Cyber Hygiene. To avoid a pick-your-poison cyber escalation and to evade this spooky list, organizations need to make sure their basic security hygiene is in good form—patches are applied, non-essential ports are closed to the public Internet, and software is updated. Larger companies with more robust budgets and better IT expertise must make the effort to leverage tools like network detection and response (NDR) platforms for better network monitoring.

[ Stay Aware of Threats. SM7 Newsletter: Sign Up ]

A minimum audit on insecure protocols or highly trafficked devices goes a long way in ensuring that hackers don’t find their way into internal systems. These basic steps are often the first line of defense against known and exploitable vulnerabilities, and it gives better positioning for organizations to track the first signs of an attack.  

Detect Lateral Movement. Once bad actors gain access to internal networks, it’s extremely difficult to detect them. To elevate a company’s cybersecurity posture even further, organizations need the ability to track lateral movements within systems to flag initial breaches. Systemic blind spots mean attackers will remain undetected and could wreak digital havoc laterally across networks at will.

By enforcing monitoring strategies and baseline behavior detection like data staging, account escalation, and C2 communications, companies can stop an attack in motion by revealing the attacker’s approach, the scope of the attack so far, and get out ahead of what bad actors will likely do next.

Support the Human Element. Organizations should adopt a continual, contextual security awareness program that doesn’t punish or shame. It should seek to educate and motivate employees to double check everything and provide a clear process to flag anything suspicious.

Jamie Moles brings more than 30 years of technology and cybersecurity experience to his role as senior technical manager at ExtraHop where he helps customers understand and mitigate the risk contemporary threats pose to their business. In the early 1990s, Moles was one of the United Kingdom’s leading experts on computer viruses, authoring his own virus scanner for MSDOS before joining Symantec as technical support lead for their cybersecurity product range, including the new Norton AntiVirus product. He has also held numerous engineering roles at organizations across a variety of industries including healthcare, infrastructure, and finance. Moles lives in Portsmouth, England, with his wife, two kids, and a Cavachon called Lottie. In his spare time, he enjoys retro computer gaming, poker, and virtual reality.

© 2022, ExtraHop