Montri - stock.adobe.com

Top 10 cyber crime stories of 2023

Ransomware gangs dominated the cyber criminal underworld in 2023, a year that will prove notable for significant evolutionary trends in their tactics

When it comes to cyber crime, it’s easy to assume that there is nothing new under the sun. After all, the whole point of cyber crime – to a cyber criminal – is to get someone else’s money in their pockets as quickly as possible. What could be more effective a tool than ransomware?

However, even perfect systems can be improved around the margins, tried-and-tested methods can be tweaked, and incremental adjustments made. So it was in 2023, which will be remembered as the year in which the already commodified ransomware ecosystem started to do away with actual ransomware, in favour of mass targeting of victims and straight-up data theft and extortion.

But it wasn’t just ransomware hitting the headlines in 2023 – other cyber criminals continued to wreak havoc at a smaller scale, and with digital and online fraud now one of the most widespread forms of crime in the UK, we also reported on the various scams and techniques being adopted to con ordinary people out of their hard-earned cash.

Here are Computer Weekly’s top 10 cyber crime stories of 2023

1. Royal Mail refused to pay £66m LockBit ransom demand, logs reveal

By any measure, the LockBit ransomware crew’s January 2023 hit on Royal Mail was the most widely talked about cyber attack in the UK this year. The incident, which we now know targeted a major distribution centre near Heathrow Airport, crippled the organisation’s international shipping service and left both consumers and businesses unable to send letters and parcels overseas.

Over a month after the initial attack, things were still not back to normal, as it emerged that LockBit was demanding a stratospheric ransom of nearly £70m, which Royal Mail refused to pay, saying it was an “absurd” sum. Royal Mail has since spent over £10m on remedial measures.

2. LockBit gang confirms Ion cyber attack as disruption continues

LockBit was one of the most prolific operators in 2023 – although its status as “top dog” was to be dramatically challenged later in the year, as we shall see.

At the end of January, LockBit caused widespread disruption in the City of London, leaving multiple financial services organisations locked out of critical applications, after attacking Ion Group, a supplier of financial software. Many of the disrupted firms were forced to fall back on more traditional pen and paper-based methods to complete their trades.

3. Hive ransomware gang taken down after FBI hacks back

Ransomware now being high on the agenda of many governments, 2023 saw multiple law enforcement operations aimed at disrupting ransomware gangs’ crime sprees and bringing their members to justice.

One of the biggest stings of the year came in January 2023, when an FBI-led operation saw the Hive cartel’s server infrastructure hacked and seized by the Feds, who also liberated its ransomware decryption key and distributed it to victims. Hive had extorted over $100m from 1,500 organisations during an 18-month campaign. Its loss was not mourned.

4. Rubrik customer, partner data exposed in possible Clop attack

Storage-turned-security tech firm Rubrik found itself in the headlines in March 2023 when the Clop/Cl0p ransomware crew exploited a flaw in a managed file transfer (MFT) product – Fortra’s GoAnywhere – to access its systems and compromise its data.

On the face of it you might consider this a fairly standard cyber attack, but this was in fact part of a wider campaign exploiting GoAnywhere in which Clop attacked over 130 known victims, and it heralded something even worse... By the pricking of my thumbs, something wicked this way comes.

5. Researchers see surge in scam websites linked to King’s coronation

But first this. You could easily be forgiven for thinking it was ransomware all the way down, but cyber criminals aren’t all ransomware operators targeting large businesses, some of them are just trying to fleece the man on the Clapham omnibus for a few quid. These crooks will use any likely lure to convince their marks to hand over some cash, and the coronation of King Charles III was a biggie.

As the big day approached, Kaspersky’s research teams observed a surge in scam websites, generally flogging commemorative plates and mugs, that were in fact harvesting credit card details and other credentials.

6. Pig butchers caught using ChatGPT to con victims

To pig butchering, a somewhat indelicate term used to describe a romance scam in which targets are duped into handing over their money to cyber criminals in the form of crypto currency, having been supposedly lured in by a new love interest.

In 2023, these scams took a new twist thanks to the advent of generative artificial intelligence (GenAI) chatbots such as ChatGPT, and criminals were quick to adopt these tools. In one instance, they got caught when a victim turned suspicious after they accidentally copied and pasted an AI message that read: “As a language model, I don’t have feelings or emotions like humans.”

7. Victims of MOVEit SQL injection zero-day mount up

This is the big one. At the end of May, Progress Software disclosed and patched a serious zero-day vulnerability in its MOVEit MFT product, but not before the Clop ransomware crew had used it against a wide range of targets. Over the following weeks, myriad victims came forward, including the BBC, Boots, British Airways and Ofcom. Many UK victims were attacked through payroll and HR software firm Zellis.

The MOVEit attacks proved particularly notable as they heralded a new trend of cyber extortion without a ransomware locker being deployed to encrypt victims’ data. This was possibly a result of Clop being too busy with the volume of victims it had to handle, but is also likely because in the cyber criminal quest for coin, removing one layer of complexity from the equation would seem a “smart” choice.

8. Okta confirms link to cyber attacks on Las Vegas casinos

A series of high-profile attacks on Las Vegas casino operators MGM Resorts and Caesars Entertainment in September put cyber crime back on the desks of primetime newsreaders. In an audacious series of heists, which one observer referred to as the “Ocean’s 11 of the cyber age”, an affiliate of the ALPHV/BlackCat gang known as Scattered Spider caused havoc in Sin City, after using social engineering against the victims’ IT helpdesks and gaining control of privileged accounts for their Okta identity and access management services – something that was confirmed by both Okta’s CISO and the gang itself, which posted a lengthy article explaining how it did it.

A wider compromise of Okta’s support systems later spread to encompass a number of other tech firms, and has subsequently been found to have affected basically every customer that has ever used its helpdesk service.

9. CISA reveals how LockBit hacked Boeing via Citrix Bleed

When the cyber history books are written, prolific ransomware crews like LockBit will loom large over the early 2020s, and the gang was still in action at the end of 2023, this time exploiting a zero-day in Citrix NetScaler Application Delivery Controller and NetScaler Gateway, which is now known as Citrix Bleed.

Similar to how Clop was able to exploit MFT services to target victims, LockBit has apparently used the Citrix Bleed flaws in widely used networking products to target a wide range of victims. Probably its most high-profile target was aircraft manufacturer Boeing, and in mid-November, US cyber agency CISA published in-depth details of how LockBit was able to attack Boeing.

10. Rhysida gang stole hundreds of gigabytes of British Library data

We end 2023 as we began it, with a devastating cyber attack on a venerable British institution, the British Library, which was recently targeted by the Rhysida ransomware gang. In an incident that caused severe disruption to the British Library’s work and is still ongoing, Rhysida compromised its customer relationship management databases and stole over 600GB of data on library patrons. This data was subsequently leaked on the dark web.

The Rhysida gang is a new operation that is already making its mark, and more recently attacked the systems of a private London hospital most famous for treating members of the royal family. The gang claimed to have stolen medical data on the royals, although this is likely not true.

Read more on Hackers and cybercrime prevention