This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 3 minutes read

Ankura Cyber Threat Intelligence Bulletin: April - May 2022

Over the past sixty days, Ankura's Cyber Threat Investigations & Expert Services (CTIX) Team of analysts has compiled key learnings about the latest threats and current cyber trends into an in-depth report: The Cyber Threat Intelligence Bulletin. Updated for April - May 2022, our report provides high-level executives, technical analysts, and everyday readers who are looking to gain a deeper understanding of current global threats with an in-depth look at key cyber trends to watch. 

Stay ahead of constantly evolving threats with the latest cyber intelligence, ransomware, and threat insights. Download your copy of the full report at the end of this article. 

Our report explains the following observations in detail:

A Rise in Geopolitical Tensions Likely Leads to an Increase in Iranian State-Sponsored Threat Actor Behavior

Since the beginning of May, Iranian threat actor activity has risen significantly across multiple organizations. Three separate Iranian groups, APT34, APT35, and Altahrea have stepped up their operations, targeting Jordan, Israel, the United States, and some European countries. CTIX analysts believe that this recent uptick in Iranian activity stems from the geopolitical tensions surrounding the war in Ukraine, and threat actors worldwide have been significantly more active. Download the full report for a detailed explanation of Iranian threat actor activity, recent successful phishing campaign tactics including a malicious Excel workbook attachment (shown below) delivering a new-and-improved version of the Saitama backdoor, and more in our bulletin.

Phishing Email Example
Figure: Phishing campaign email 

Coordinated Ransomware Attack Against Costa Rica Forces National State of Emergency

On May 8th, newly sworn-in Costa Rican president Rodrigo Chavez declared a national emergency and stated the country was “at war” with the ransomware group Conti (also known as threat actor UNC1756). The announcement followed cyberattacks on a number of Costa Rican government agencies, including the Costa Rican Social Security Fund, The Ministry of Science, The National Meteorological Institute, and The Costa Rican Finance Ministry. Since April alone, the number of institutions impacted has risen to twenty-seven (27).  

The full impact of the disruption of Costa Rican government services is not yet known, but one (1) significant impact has been to their Treasury agency, as they cannot issue signatures or stamps digitally at this time. Read the full report to discover why experts suggest this recent activity reveals a new kind of antagonism for Conti.

Figure: Conti’s Leak Site Posting Regarding Costa Rica

Threat Actor of the Month: Lazarus Group

North Korean state-sponsored advance persistent threat (APT) group, Lazarus has been operational since at least 2009 and is known to consist of various clusters. Emerging in the public eye in 2014 for its destructive attack against Sony Pictures Entertainment, the group is believed to have deployed wiper malware across Sony, taking down business-critical systems and disrupting the release of the movie "The Interview".

Subsequent high-profile attacks have highlighted the new objective of attacks conducted by the group: stealing money through heists and ransomware. Download the full report to discover why this group has shown to be one of the most persistent financially motivated threat actors in the world. 

Trending Indicators of Compromise (IOCs)

IOCs can be utilized by organizations to detect security incidents more quickly as indicators may not have otherwise been flagged as suspicious or malicious. Download the full bulletin for a list of technical indicators of compromise within the past sixty (60) days that are associated with monitored threat groups and/or campaigns of interest.

Click on the image below to download the full Cyber Threat Intelligence Bulletin and discover detailed insights and expert analysis from our Cyber Threat Investigations & Expert Services (CTIX) team.

Never miss an update about emerging threats or ransomware activity with our weekly newsletter: Sign up today for the weekly Ankura CTIX FLASH Update.

© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.


cybersecurity & data privacy, data privacy & cyber risk, cyber response, data & technology, report, f-risk

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with