In 2022, threat actors and hacker groups made their mark on the digital world by causing unprecedented data breaches that left organizations of all sizes and sectors vulnerable. Even with improved cybersecurity measures in place, threat actors were able to find and exploit weaknesses in systems to launch devastating attacks. These malicious hackers were determined to gain access to confidential information for financial gain, intellectual property theft, or political reasons. As a result, businesses and even governments had to face the consequences of these powerful threat actors and the damage they caused. This article will highlight some of the most notable threat actors and data breaches that defined the 2022 cybersecurity landscape.
The Breaches that Defined 2022
#1 Ronin Network
Ronin Network, a sidechain associated with the blockchain game Axie Infinity, was found to be breached in April 2022 by hackers who stole 173,600 Ethereum and $25.5 million--amounting to almost $615 million in stolen funds.  This attack has been attributed by the FBI to North Korean hackers, and the U.S. Treasury Department has sanctioned a cryptocurrency wallet used by the perpetrators of the crime to receive stolen assets. Hackers broke into Ronin Network security systems by obtaining access to private keys that they utilized to create fraudulent withdrawals. This breach was the highest reported attack against a blockchain application in 2022. It demonstrated the scale of security threats to cryptocurrencies and highlighted the risks associated with digital asset management. It also put into perspective how vulnerable cryptocurrency exchanges are when facing advanced cyber attackers.
Crypto.com, one of the most prominent and well-known cryptocurrency exchanges in the world, reported that 483 of its users were compromised in a hack in January 2022. The attack resulted in unauthorized withdrawals of bitcoin and Ether worth a total of $35 million.  This breach highlighted the rise of sophisticated, well-funded threat actors targeting cryptocurrency exchanges. The attack also revealed a shift in tactics from traditional ransomware attacks to direct theft of specific digital assets.
In early 2022, Microsoft suffered a high-profile data breach attributed to an advanced threat actor known as Lapsus$ who managed to leak about 37GB of Microsoft's alleged source code. In response, the company increased its focus on data privacy.  However, at the end of October, Microsoft was hit by another security lapse -- dubbed "BlueBleed" -- which saw more than 65,000 companies' data exposed due to a single misconfigured Azure endpoint that allowed unauthenticated access. These events brought attention to the ability of threat actors to bypass common security measures, as well as the risks associated with increased reliance on public cloud infrastructure. This prompted companies to tighten their defenses by implementing advanced automated technologies such as machine learning, multi-factor authentication, and zero-trust architecture. 
In January 2022, a security vulnerability in Twitter's API was fixed after the private information of over 5.4 million users had been stolen and shared for free on a hacker forum. In July, however, a threat actor attempted to monetize this data breach by offering the stolen user records for sale at $30,000. Additionally, another massive data dump containing millions of stolen Twitter records has recently been disclosed by a security researcher, confirming that this vulnerability had been widely exploited by cybercriminals. 
In September 2022, Uber was the victim of a data breach when Teqtivity, a software company that provides asset management and tracking services to Uber, was targeted in a hacking operation. According to BleepingComputer, an online cybersecurity news site, the breached information included “source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses and other corporate information” in addition to the “email addresses and Windows Active Directory information for over 77,000 Uber employees”.  Although some corporate details were exposed, no user data was compromised as a result of the breach. UberLeaks later claimed that it was Lapsus$, a hacking group, had orchestrated the hack, but Uber has since denied this allegation. 
In January 2022, a cybersecurity incident involving the International Committee of the Red Cross (ICRC) was reported. This attack compromised data and confidential information held by the ICRC relating to over 515,000 vulnerable individuals, including those separated from their families due to conflict, migration or disaster, missing persons and their relatives, and people in detention. The ICRC's system that is used for running its Restoring Family Links program was impacted by this cyberattack as well as other systems utilized by the wider Red Cross and Red Crescent network for the purpose of reuniting family members separated by humanitarian crises. 
These major breaches highlight the vulnerability of major corporations and the need to prepare effectively for the threat landscape that awaits in 2023.
In 2022, LastPass, a digital password wallet company, experienced a significant data breach wherein the threat actor was able to gain access to backup databases containing credentials and other sensitive information, including passwords. This posed a significant threat due to the potential for attackers to exploit weak or reused passwords so long as users do not change them. However, although passwords were obfuscated, other exfiltrated data included some customer backups and encryption keys, as well as plaintext emails, usernames, and domains.  With access to personal data, the risk of criminals launching successful spearphishing attacks against users whose information was compromised has skyrocketed, making the LastPass breach critical in 2022. 
The Threat Actors that Defined 2022
The LockBit hacker group emerged in 2020 as a ransomware-as-a-Service (RaaS) provider, quickly rising to prominence among cyber criminals. In 2022, the group’s ransomware campaigns were responsible for 44% of all ransomware campaigns.  The reason behind the success of this particular threat actor is its highly efficient operations and low-cost model. By allowing users to rent their services for a one-time fee and having extremely efficient operations, LockBit was able to outpace other competing ransomware operators last year. Unlike most other ransomware groups, which mostly target home users, LockBit mainly focuses on businesses, enabling them to quickly access large amounts of data and money by encrypting entire networks. LockBit is mostly Russian-speaking and active in the former Soviet Union and Europe.
#2 ALPHV (BlackCat)
In 2022, the BlackCat ransomware group demonstrated its ability to carry out ruinous attacks against organizations in both the public and private sectors.  By targeting large companies in Germany and Italy, as well as a European government, they made their presence felt on a global scale. Their ransomware-as-a-service (RaaS) offering allows them to spread their malignant operations further with the help of tools such as Log4J Auto Exploiter. BlackCat is also especially noteworthy in its recent aggressive efforts to acquire new affiliates and gain influence in the competitive landscape. BlackCat leveraged hefty payouts that were up to 90% of paid ransoms. Furthermore, they advertised their services in underground forums like RAMP and Russian-speaking hacking forums as a means to recruit affiliates. Additionally, the introduction of BlackCat's public leak site, which enabled searchable access to stolen information from its victims, was a major escalation of the ransomware attack model. Unlike traditional Tor sites hosting such data, which limited visibility to certain groups of people only, this new platform made the data available to anyone with an internet connection. Such a move put more pressure on victims to comply with BlackCat’s demands.
#3 Black Basta
Black Basta is a ransomware-as-a-service (RaaS) group first detected in April 2022 . The group quickly became a dangerous threat, employing double-extortion tactics and expanding its attack arsenal to include Qakbot trojan and PrintNightmare exploits. Due to its recent emergence, detections of Black Basta remain low, but the speed with which its malware authors have developed their tools warrants a closer inspection of this emerging ransomware gang. Their approach is targeted rather than spray-and-pray tactics, making them more likely to successfully breach data privacy and cybersecurity trends. As such, monitoring Black Basta's activities will be essential for understanding future threats posed by this malicious actor.
In 2022, Killnet emerged as a major cybersecurity threat actor that posed a significant risk to organizations across the globe.  Killnet is an international cybercrime group of pro-Russian hackers known for their ability to launch large scale distributed denial-of-service (DDoS) attacks on cyber targets. In one of their most notorious acts, they called for coordinated DDoS attacks on several U.S. airports, demonstrating their potential impact.
#5 Lazarus Group
The Lazarus Group is a renowned cybercriminal organization and threat actor, believed to be based in North Korea.  In 2022, they were responsible for a malicious campaign targeting energy providers around the world. This campaign used two known malware families (VSingle and YamaBot) as well as a recently disclosed implant called 'MagicRAT'. Additionally, it has been suggested that the group may be behind the $100m theft from cryptocurrency firm Harmony and even Axie Infinity's $600m hack.
In recent months, a cybercriminal gang known as LAPSUS$ has claimed responsibility for multiple high-profile attacks against tech companies, including T-Mobile, Globant, Okta, Ubisoft, Samsung, Nvidia, and Microsoft.  Additionally, they were also successful in launching a ransomware attack against the Brazilian Ministry of Health. These events also show that cybercriminals have shifted their focus beyond simple ransomware to data exfiltration and cyber extortion. LAPSUS$ gains access to organizations' intellectual property and threatens to leak data unless a ransom is paid, potentially resulting in irreparable damage if the data were made available to competitors.
#7 APT41 (a.k.a. Barium, Wicked Spider/Panda)
APT41, a Chinese state-sponsored hacking group based in Chengdu, stole at least $20 million of U.S. Covid relief funds from taxpayers in over a dozen states from mid-2020 to 2021 according to the Secret Service.  APT41 specializes in attacks on large and tough-to-breach targets such as telecoms and defense projects, leveraging tactics like spear phishing, listening, water holes/RATs/backdoors, and communication chain attacks. They are also known to pursue subtle monetization options by selling stolen IPs through intermediaries in closed forums. It is uncertain how much of this money is handed over to the government or kept within the handling agency within the Chinese government. The theft of taxpayer funds by APT41 is the first instance of pandemic fraud tied to foreign, state-sponsored cybercriminals that the U.S. government has acknowledged publicly and raises serious national security implications. 
At the beginning of September 2022, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warned that a ransomware gang named Vice Society was targeting the education sector. Vice Society is a threat actor group that first began operating in January 2021. It uses various methodologies to gain access, including exploiting internet facing applications and using tools such as PowerShell Empire, SystemBC, and Cobalt Strike for lateral movement. Unlike other ransomware groups like Lockbit which follow a typical ransomware-as-a-service (RaaS) model, Vice Society has taken a different approach by utilizing forks of pre-existing ransomware families that are sold on dark web marketplaces such as HelloKitty (aka FiveHands) and Zeppelin. As such, they have become dangerous threat actors operating today and were a significant threat actor in the data breaches of 2022.
#8 Snatch Team
Snatch is a threat actor that emerged in 2022 and caused a number of data breaches across multiple sectors, most notably food and education. It is believed to be a Russian hacker group, based on their language, communication styles, tactics techniques, and procedures (TTPs). In 2022, they targeted organizations such as McDonalds, from where they claimed to have stolen over 500gb of data in an attack against the company headquarters in Chicago. This data has been confirmed to being sold on the dark web for an undisclosed sum.  In addition, Snatch Team has been attributed to the hack of Daylesford Organic, a UK-based organic grocery store. Company systems were breached by exploiting vulnerabilities in its software, allowing them to gain access to confidential customer information and data stored on their servers. The personal information of celebrities were found to be published on the dark web, including those of Sir David Attenborough, Jeremy Clarkson, Ronnie O’Sullivan, and Lady Sarah Chatto.  Snatch Team has also claimed to be responsible for a ransomware attack on the Kenosha Unified School District in September 2022. The group did not reveal what type or number of flies stolen. The attack caused significant disruption in learning for K-12 students. This latter attack prompted the Government Accountability Office to urge the Cybersecurity and Infrastructure Security Agency (CISA) and Secretary of Education to fortify their security measures. 
 Update: Crypto Hackers Exploit Ronin Network for $615 Million; BankInfoSecurity, 2022.
 Lapsus$ hackers leak 37GB of Microsoft's alleged source code; Bleeping Computer, 2022.
 5.4 million Twitter users' stolen data leaked online — more shared privately; Bleeping Computer, 2022.
 Uber suffers new data breach after attack on vendor, info leaked online; Bleeping Computer, 2022.
 IOTW: Over 77,000 Uber employee details leaked in data breach; Cyber Security Hub, 2022.
 LastPass owner GoTo says hackers stole customers’ backups; TechCrunch, 2023.
 LockBit Dominates Ransomware Campaigns in 2022: Deep Instinct; Info Security Magazine, 2022.
 North Korean Lazarus Group Hacked Energy Providers Worldwide; Info Security, 2022.
 APT41’s expanding capabilities pose a significant economic threat; Security Boulevard, 2022.
 Hackers target food supplier to the stars Daylesford Organic; Oxford Daily, 2022.
 Ransomware group claims attack on Wisconsin school district; The Record, 2022.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.