The top five cyber security incidents in June 2023

Cyber Security Hub takes a look at the top cyber attacks, data breaches and cyber security incidents across the globe that happened in June, 2023.


MOVEit cyber attack impacts multiple businesses

A cyber attack on document transfer service MOVEit led to a series of data breaches of high-profile companies including PricewaterhouseCooper (PwC), Ernst and Young (EY), Health Service Ireland and payroll provider Zellis.

During the cyber attack, ransomware gang Clop exploited a critical zero-day vulnerability in MOVEit’s infrastructure to break into the networks of a multitude of companies and steal their data. 

The critical vulnerability was initially recognized on June 1 by security researchers and the US government. The US Cybersecurity and Infrastructure Security Agency (CISA) urged all companies that used MOVEit to analyze their networks to see if the malicious actors had gained unauthorized access to their networks over the past 30 days. They were also instructed to download and install the software patch released by MOVEit to solve the vulnerability. 

The cyber attack’s impact grew on June 5, when payroll provider Zellis stated that it had suffered a data breach related to the MOVEit cyber attack. The company said a “small number” of its customers had suffered subsequent data breaches as a result. Initially, these victims were thought to include the British Broadcasting Channel (BBC), highstreet health and beauty retailer Boots and United Kingdom flag carrier British Airways. On June 21, however, Clop claimed that they had never had access to this data.

In the following days and weeks after the MOVEit cyber attack, a number of victims came out to say they had also been impacted by the cyber security incident. These victims included accounting firm PwC, British watchdog Ofcom and Health Service Ireland.

It was discovered that Clop were responsible for the cyber after the gang attempted to exploit its victims. The gang made a post on its Telegram channel on June 7, saying that unless the victims of the cyber attack and subsequent data breaches paid them by June 16, their data would be released.

From June 16, Clop posted company information including names, addresses and websites to its darknet site. It is believed this was an attempt to coerce the victims into paying the ransom.

Read a full timeline of the MOVEit cyber attack here.

Malware found in 190 Android apps

Android apps that had been downloaded more than 30 million times were discovered to have been infected with SpinOk malware.

Cyber security company CloudSEK discovered that the Trojanized apps were available via the Google Play store. During an investigation, CloudSEK found that the Google Play store had 193 apps that contained malware, with 43 apps being active within the last week of the investigation.

SpinOK malware is easily spread as it poses as a legitimate software development kit (SDK), enticing software developers who are looking to make minigames with daily rewards to download it. This also entices those who download the infected apps to run the malware frequently. 

The malware itself was distributed via a SDK-based supply chain attack, meaning software developers likely unknowingly downloaded the Trojanized SDK without realizing it.

Once a device is infected with the malware, SpinOk is able to steal payment card details and login credentials, as well as hijacking payments to cryptocurrency wallets. It is also able to steal victim’s data including files, videos and images on the device. These files, images and videos are then sent to a private server. This means malicious actors can potentially steal victim’s identities, money or both.

The Google Play store said it will take “appropriate action on apps that violate [its] policies”. 

Learn more about SpinOk malware here.

DDoS attacks launched against Swiss websites ahead of Zelensky address

On June 12, targeted distributed-denial-of-service (DDoS) attacks were used against the Swiss government to force its government sites offline ahead of a video address by Ukranian President, Volodymyr Zelensky, which was due to take place on June 15. 

The Swiss National Cyber Security Center (NCSC) reported that “various websites of the Federal Administration and enterprises affiliated with the Confederation were unavailable” due to the DDoS attacks launched against them.  

The NCSC said that it will be “analyzing the attack together with the administrative units concerned and defining appropriate measures” and attempting to reduce disruption and return to normalcy by “taking measures to restore accessibility to the websites and applications as quickly as possible”.  

The DDoS attack was claimed by pro-Russia hacking group, NoName. The group made a post on messaging service Telegram saying that it launched the cyber attack to “thank Swiss Russophobes” for taking on another EU sanctions package against Moscow.

NoNome claimed that it had launched further DDoS attacks against the Swiss police force and justice ministry to defend Russia “on the information front”. The group said it will continue to use these attacks to defend Russia.  

Read Cyber Security Hub’s ultimate guide to DDoS attacks here.

BlackCat threatens to leak 80GB of Reddit data

Ransomware gang ALPHV, most commonly known as BlackCat, has claimed responsibility for the theft of 80GB of data from social media site Reddit. 

The ransomware gang made a post on its data leaks site saying that it was responsible for the phishing attack and subsequent data breached Reddit suffered in February 2023. BlackCat said that during the attack they had stolen 80GB of compressed data and will be selling it.

The malicious actors said they would be selling data after receiving no response from Reddit despite contacting the company on both April 13 and June 16 with their demands for the deletion of the data. BlackCat said they asked for US$4.5 million to delete the data, but are now “very confident that Reddit will not pay any money for their data”, leading to the decision to sell it. 

BlackCat said they are “very happy to know that the public will be able to read about all the statistics they track about their users and all the interesting confidential data [they] took”. The gang also claimed that Reddit “silently censor” users. 

Learn more about phishing attacks and how to prevent them here.

Blizzard Entertainment hit by DDoS attack

Video game company, Blizzard Entertainment, was the victim of a distributed-denial-of-service (DDoS) cyber attack on June 25.

A number of games that Blizzard hosts, including Diablo 4 and World of Warcraft, went offline as a result of the DDoS attack. This led to players taking to Blizzard’s forums to post about the cyber attack. 

In a tweet about the situation posted on June 25, Blizzard Entertainment’s customer support team said that they were actively monitoring the attack which was “affecting latency/connections to [its] games”. Three hours later, the company posted an update which said that the DDoS attacks against the network had ended. They also recommend that any players still having issues should troubleshoot their connection.

One member of Blizzard’s player forums remarked that it was “not surprising” that a cyber attack was launched against the company, potentially in reference to some of the controversies Blizzard Entertainment has faced over the past few years. These controversies range from accusations that the company has a toxic, “frat boy” company culture leading to women feeling unsafe in their offices, to players being disappointed with the company’s latest releases like Diablo 4 and Overwatch 2 Season 5.

Learn why gaming sites attract malicious actors and cyber attacks here.