Law Enforcement Has Disrupted Twenty-Nine Malicious Cyber Operations Since January 2023

As a reminder, on Tuesdays and Thursdays, our premium subscribers have full access to our original content, expansive summaries, intelligently clustered related articles, our best and worst things of the day, and our customary closing thoughts.

So, please consider upgrading your subscription today to access this content along with Metacurity's complete archives.

Summary of the most critical infosec developments you should know today (complete postings available below to premium subscribers)

• According to an agency report, Chinese state-sponsored hackers known as Silk Typhoon and UNC5221 breached the US Treasury Department and accessed over 400 laptop and desktop computers, particularly those of staff and senior leaders working on sanctions, international affairs, and intelligence.
• A new hacking group called the Belsen Group has leaked the configuration files, IP addresses, and VPN credentials for over 15,000 FortiGate devices for free on the dark web, exposing sensitive technical information to other cybercriminals.
• The Biden administration and the states of Illinois and Minnesota sued tractor and agricultural manufacturer John Deere, arguing that the company’s anti-consumer repair practices have driven up farmers' prices and made it difficult for them to get repairs during critical planting and harvesting seasons.
• The Biden administration officially released its last, wide-ranging cybersecurity executive order to accomplish many eleventh-hour objectives, including strengthening the federal government's cybersecurity practices and improving AI-powered cyber defenses. (I previewed the order based on a leaked copy earlier this week.)
• Speaking at an event hosted by the Foundation for Defending Democracies, CISA Director Jen Easterly said that threat hunters from the Cybersecurity and Infrastructure Security Agency first discovered activity from Salt Typhoon on federal networks, allowing public and private sector defenders to more quickly “connect the dots” and respond to Chinese attacks on the US telecommunications industry.
• Change Healthcare, the UnitedHealth-owned health tech company that lost more than 100 million people’s sensitive health data in a ransomware attack last year, said that the company has “substantially” completed notifying affected individuals about the massive data breach, but if you search the web for the Change Healthcare data breach notice, you’re unlikely to find the web page in search engine results.
• US school districts affected by the recent cyberattack on edtech giant PowerSchool have said that hackers accessed “all” of their historical student and teacher data stored in their student information systems.
  Blood-donation not-for-profit OneBlood confirms that donors' personal information was stolen in a ransomware attack last summer.
• According to sources, the Trump transition team is considering Sean Plankey as the next Cybersecurity and Infrastructure Security Agency director.
  Czech cybersecurity startup Wultra has raised €3M (around $3.1 million) from Tensor Ventures, Elevator Ventures, and J&T Ventures to accelerate the development of post-quantum authentication technology.

Time of law enforcement disruption of cybercriminal operations

With news of the action by the US authorities to infiltrate and remove PlugX malware from thousands of computers, Metacurity revisited its timeline of law enforcement disruption of cybercriminal operations to bring this timeline up to date.

Our analysis reveals that since the beginning of 2023, there have been twenty-eight significant law enforcement takedowns of cybercrime or APT operations or disruptions of these groups’ operations. Nineteen, or 69%, of these take-downs were conducted in 2024 alone, highlighting the accelerating trends of such operations.

The following is a timeline of the announced law enforcement disruptions of malicious cyber actors from January 2023 through January 15, 2025. This timeline does not represent other government actions taken to crimp the ability of threat actors to engage in their efforts, such as sanctions levied against cryptocurrency mixers, arrests of leading cybercrime figures (unless those arrests coincided with takedowns), or sanctions against foreign adversarial individuals who facilitate government hacking initiatives. It also doesn't include efforts to seize cryptocurrency scam operators.