Last updated at Wed, 27 Dec 2023 00:13:32 GMT

Cyberattacks are a distinct concern in the Russia-Ukraine conflict, with the potential to impact individuals and organizations far beyond the physical frontlines. With events unfolding rapidly, we want to provide a single channel by which we can communicate to the security community the major cyber-related developments from the conflict each day.

Each Wednesday, we will update this blog at 5 pm EST with what we believe are the need-to-know updates in cybersecurity and threat intelligence relating to the Russia-Ukraine conflict. We hope this blog will make it easier for you to stay current with these events during an uncertain and quickly changing time.

May 25, 2022

As noted in last week’s update, today marks the final installment of this ongoing blog. We expect that cybersecurity and threat intelligence news pertaining to the Russia-Ukraine conflict will continue, and we will publish standalone content on the Rapid7 blog when major events occur or when there is a need for deeper analysis of the global threat landscape.

Threat Intelligence Update

  • Likely Chinese threat actors initiate phishing campaigns against Russian research institutes

Check Point researchers reported a cyberespionage campaign dubbed Twisted Panda that was active from at least June 2021 through April 2022. The campaign intensified following the Russo-Ukrainian War and targeted Russian and Belarusian defense research institutes. The campaign operators, likely of Chinese origin, used spear-phishing email messages with macro-embedded documents to deploy a previously undocumented backdoor, Spinner. The backdoor was used to collect system information (e.g. IP address, computer name, and OS version) and exfiltrate it to a remote command and control (C2) server.

Source: Check Point

  • Sandworm APT targets Ukraine using a novel malware loader

The Russian APT group Sandworm (AKA Voodoo Bear) used the previously undocumented ArguePatch malware loader as part of an Industroyer2 attack against a Ukrainian energy provider and in other attacks involving the deployment of CaddyWiper. The loader could be used to execute a second-stage malware at a particular time, which replaces the former use of a Windows scheduled task. In addition, Sandworm was observed to use an executable that was stripped of its digital signature and whose code was overwritten, in order to hide ArguePatch from being detected.

Source: ESET

  • Sberbank attacked with the largest DDoS attack in its history

The Russian state-owned bank Sberbank announced that it suffered the largest distributed denial-of-service (DDoS) attack in its history. The attack that occurred at the beginning of the month, was generated by a botnet with 27,000 compromised devices, located in the United States, the United Kingdom, Japan, and Taiwan. The attackers used various techniques to initiate the DDoS attack, including code injections into advertising scripts, malicious Chrome extensions, and weaponized Docker containers.

Source: Bleeping Computer

May 18, 2022

Unfortunately, the months-long conflict between Russia and Ukraine is unlikely to come to a clear resolution in the near future. While state-sponsored cyberattacks were a major concern at the war’s outset, they’ve proven not to be as widespread a threat as initially feared.

Next week, on Wednesday, May 25, we will publish the final edition of this ongoing blog. While we expect associated cyberattacks will continue, going forward we’ll publish standalone blog posts covering major threats and security incidents as they occur.

Threat Intelligence Update

  • Another phishing campaign unleashed by Gamaredon

The CERT-UA reported on another Gamaredon phishing campaign using lures related to the Battle of Kherson. The phishing messages contained HTA files starting an attack chain leading to the deployment of the GammaLoad.PS1_v2 malware.

Source: CERT-UA

  • Killnet shuts down Italian government websites for standing with Ukraine

Italy's Computer Security Incident Response Team (CSIRT) reported that the pro-Russian hacktivist group Killnet initiated DDoS attacks against government and military websites in the country. The threat actors used the "Slow HTTP" technique to overload the targeted servers and take down their hosted websites. Killnet acknowledged the attack and stated that further attacks may follow, probably due to Italy's support of Ukraine.

Source: CSIRT-ITA

May 11, 2022

Earlier this week, the US imposed additional sanctions on Russia, adding to a long list of economic restrictions since Russia’s invasion of Ukraine. The latest round of sanctions prohibit US persons from providing accounting, trust, corporate formation, or management consulting services to any person inside the Russian Federation. The sanctions also target Russian state-controlled television stations. The US also announced it will impose additional export controls on a wide range of industrial equipment and raw material, such as wood products, motors, and many other items. Finally, the US imposed sanctions and visa restrictions on a large number of individual Russian elites and executives at major state-owned enterprises. See more details about these actions in statements from the White House and the US Treasury Department.

The US and its allies also attributed cyberattacks against commercial satellite providers to Russian state-sponsored actors. The attack against Viasat in Ukraine spilled over to other nations, disrupting thousands of wind turbines in Europe. Though the spillover may have been unintentional, it is notable that the cyberattack damaged the critical infrastructure of a NATO ally at a time that NATO leaders reiterate that cyberattacks can be significant enough to trigger NATO members’ collective defense obligations. As part of this announcement, CISA updated its satellite cyber protection guidance. See here for additional information.

Threat Intelligence Update

  • The Ukrainian CERT announces a new APT28 phishing campaign

The CERT-UA reported on an APT28 phishing campaign, in which the threat actors sent email messages impersonating the cybersecurity agency. The messages contained RAR archives with SFX files, distributing the malicious program CredoMap_v2. The program used HTTP POST requests to send stolen user credentials to a web resource, hosted on the Pipedream platform.

Source: CERT-UA

  • Hackers shut down "Russian YouTube"

Pro-Ukraine hackers took down the RuTube video streaming site during President Putin's speech on "Victory Day." The hackers defaced the online Russian TV schedule page to display anti-war messages, accusing Russia of killing Ukrainian citizens and spreading fake news.

Source: Bleeping Computer

May 4, 2022

Computerworld reported on cyber conflict between Russia, Ukraine, and Belarus, detailing and linking to further reports on the hacks of Belarusian train scheduling software that runs on Windows XP. The article also discussed earlier reporting on Ukrainians rebuffing complex Russian attacks like those described in the Microsoft report.

The EU is moving forward with a plan to ban nearly all imports of Russian oil. While the US and UK have already proceeded with similar bans, the EU plan is significant, as Europe is much more dependent on Russian energy imports. However, the embargo does not include gas, and some especially dependent countries - notably Hungary and Slovakia - have requested exemptions from the import ban through 2023.

Threat Intelligence Update

  • A Chinese state-sponsored group targets Russian entities

Google's Threat Analysis Group (TAG) reported on five active threat groups targeting organizations and individuals in Eastern Europe. Interestingly, one of the groups, Curious Gorge, assumed to be associated with China's Liberation Army Strategic Support Force (PLA SSF), was observed to target Russian organizations, including multiple defense contractors, manufacturers, and a logistics company. This report seems to continue the trend that was observed last month with Mustang Panda's attack on Russian officials, indicating a possible shift in China's intelligence collection objectives amidst the Russo-Ukrainian War.

Source: Google TAG

  • DDoS attacks target pro-Ukraine websites

The CERT-UA warned against ongoing DDoS attacks targeting pro-Ukraine websites and the government web portal. The threat actors, whose identity is unknown, compromised WordPress sites, injecting them a malicious JavaScript code (BrownFlood). The code was designed to run on the website visitor's computer and direct its resources to generate a large number of requests for predefined target URLs.

Source: CERT-UA

  • Killnet attacks the Romanian government for supporting Ukraine

The pro-Russian group of hacktivists, Killnet, initiated a DDoS attack against Romanian government websites, including the official website of the Romanian government, the Ministry of Defense, Romanian Border Police, and Romania’s National Railway Transport Company. The hackers took down the websites and also deleted some of the data that was stored upon them. The attack probably resulted from the Romanian government's public support of Ukraine.

Source: Bleeping Computer

April 27, 2022

As noted in last week’s update, NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE) held a 30 nation-wide “Locked Shields” exercise to ensure cyber-readiness across the alliance. They also announced “winners” with Finland coming in first place, the Lithuania-Poland team coming in second, and Estonia catching the bronze in third. Overall, there were 24 defender teams participating in this critical exercise.

Today, noted cyber-journalist Kim Zetter reported in her Substack newsletter that the Kremlin’s cyber division began working to gain access to Ukrainian government and critical infrastructure networks a year before the invasion. This news comes from a Microsoft 21-page special report detailing cyber and kinetic operations targeting Ukraine, including timelines, tactics, and techniques.

Threat Intelligence Update

  • Chinese state-sponsored group targets Russian officials

Secureworks researchers reported that Mustang Panda (AKA Bronze President) targeted Russian officials using phishing email messages. The messages included lure attachments that were allegedly sent by the European Union, containing sanction details against Belarus. The attachments in the form of Windows executables (.exe) downloaded a DLL Loader executing the PlugX malware. The state-sponsored group's campaign was assumed to indicate a shift in China's intelligence collection objectives amidst the Russo-Ukrainian War.

Source: Bleeping Computer

  • UAC-0056 continues to target Ukrainian entities

The CERT-UA reported on another UAC-0056 (AKA SaintBear) phishing campaign against Ukrainian entities. The threat actors used a compromised account of a Ukrainian state employee to send phishing email messages distributing the GraphSteel and GrimPlant malware.

Source: CERT-UA

April 20, 2022

McKinsey posted an update to their previous statement on Russia’s invasion of Ukraine, noting that “all client service in Russia has ended as of 15 April 2022.”

Gizmodo reports that cybersecurity experts representing 30 NATO members are participating in a simulation for a digital war this week to defend a fictional island country, “Berylia,” in the northern Atlantic Ocean in the hopes that lessons learned will better prepare them for the possibility of a Russian attack as war ravages Ukraine. NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE) has codenamed the effort “Locked Shields” and paints the scenario as follows:

“[This fictional nation] ​​is experiencing a deteriorating security situation. A number of hostile events have coincided with coordinated cyberattacks against Berylian major military and civilian IT systems. The exercise planners draw on the current geopolitical situation to develop realistic and challenging scenarios that take into account the current security environment where cyber incidents are unlikely to happen in isolation and are employed as part of a wider geopolitical strategy.”

The Financial Services Information Sharing and Analysis Center (FS-ISAC) is also participating in the exercise.

The Washington Post’s Cybersecurity 202 posted excerpts of an interview with Estonia's former president, Toomas Hendrik Ilves, containing strong cautions and notes of what may happen on combined cyber and kinetic fronts as the war becomes prolonged. Ilves is quite familiar with Russian cyber tactics, having led his nation through “a blistering digital attack that shut down government and financial websites for days.”

BleepingComputer notes that Russian companies and individual software developers have been reporting — since April 13, 2022 — that their GitHub accounts are being suspended without warning if they work for or previously worked for companies under US sanctions.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint Cybersecurity Advisory warning organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia, as well as material support provided by the United States and its allies and partners.

Threat Intelligence Update

  • Two new phishing campaigns target Ukrainian entities  

The CERT-UA reported on two new phishing campaigns targeting Ukrainian entities. In the first campaign, attributed to UAC-0097, the threat actors sent image files containing a JavaScript code for the exploitation of an XSS vulnerability in the Zimbra Collaboration Suite (CVE-2018-6882). The vulnerability enables threat actors to remotely inject arbitrary web scripts or HTML through a content-location header in email attachments. In the second reported campaign, attributed to UAC-0041, the attackers sent macro-embedded Excel documents that were used to deploy the GzipLoader malware and the IcedID banking Trojan (AKA BankBot).

Source: Bleeping Computer

  • Gamaredon uses new malware variants to attack Ukraine

Symantec researchers reported that Gamaredon used four new variants of the Pterodo backdoor in attacks against Ukrainian entities. All these variants use obfuscated VBS droppers that add scheduled tasks and download additional malicious modules from different C2 servers.

Source: Symantec

  • Anonymous continues to leak alleged Russian organization data

Anonymous and its affiliates claimed to breach Gazprom Linde Engineering, leaking 768,000 emails allegedly belonging to the company. In addition, NB65 announced the hack of Continent Express, the Russian largest independent travel agency, leaking nearly 400 GB of files and databases. Other alleged breaches this week include GUOV I GS, the General Department of Troops and Civil Construction, the Russian construction company Gazregion, and the Tendertech financial firm.

Source: Security Affairs, The Tech Outlook, and @YourAnonNews via Twitter

April 13, 2022

As the Russia-Ukraine conflict continues, the rapid pace of new cyber threat intelligence has not kept up. Starting today, we are moving to a weekly publishing schedule for these updates on Wednesdays at 5pm EST. We hope this cadence will allow us to curate the content of our updates and provide the most relevant information on the cybersecurity dimensions of the conflict.

The Washington Post is reporting that the Pentagon is looking to transfer armored Humvees and a range of other sophisticated equipment and supplies totaling near $750 million (USD) to Ukraine. CNN has also reported on this.

Threat Intelligence Update

  • Anonymous claims to leaks the data of a Russian regional education department

Anonymous continues to target Russian government facilities, claiming to hack the Russian Department of Education for the Strezhevoy City District Administration. The threat actors leaked 221 GB of data consisting of 250,000 email messages allegedly belonging to the department.

Source: @YourAnonNews via Twitter

April 12, 2022

While Ukraine’s “IT army” has been a known entity since the beginning of the war, this analysis piece in Foreign Policy takes a deeper dive into the group, starting with their first, public campaign and following through to the latest attacks.

Threat Intelligence Update

  • Sandworm attempts to shut down a Ukrainian energy provider

The CERT-UA reported that Sandworm attacked an ICS network of a Ukrainian energy organization using a new variant for the Industroyer malware, dubbed Industroyer2, and CaddyWiper. In addition, the threat actors used the OrcShred, Soloshred, and AwfulShred destructive scripts to sabotage Linux servers and Solaris operating systems. The general plan was to disrupt the power in a region of Ukrainian. However, ESET researchers reported that the attack was unsuccessful.

Source: ESET Research

  • Anonymous hacked Russia’s Ministry of Culture and a governor’s office

Anonymous claimed to breach Russia’s Ministry of Culture, leaking 446 GB of data, including over 200,000 email messages allegedly stolen from its databases. In another attack, the group of hacktivists claimed to hack the Tver Governor’s office, leaking 116 GB of data allegedly belonging to the governor and his staff. Source: Security Affairs

April 11, 2022

The Associated Press is reporting that, according to the World Bank, Ukraine’s economy “will shrink by 45% this year because of Russia’s invasion, which has shut down half of the country’s businesses, choked off imports and exports, and damaged a vast amount of critical infrastructure.”

On April 10, 2022, The New York Times posted a story on the destruction of Ukraine’s farms. While the Times article touches on the subject, OCHA’s ReliefWeb has a more thorough discussion on the importance of Ukraine and Russian Federation agriculture to the global food supply.

Threat Intelligence Update

  • NB65 attacked Russian organizations using Conti’s leaked ransomware

The Anonymous-affiliated group Network Battalion 65' (NB65) attacked Russian organizations using a modified ransomware that was based on Conti's leaked source code. When encrypting the files that are stored on the infected computer, the ransomware appends them with the .NB65 extension and creates a ransom note with accusations against President Vladimir Putin.

Source: Bleeping Computer

April 8, 2022

Yle News is reporting that the Finnish foreign affairs and defense ministry websites were hit by a distributed denial of service (DDoS) attack just as Ukrainian President Volodymyr Zelensky addressed the Finnish Parliament.

On April 5, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) “sanctioned the world’s largest and most prominent darknet market, Hydra Market (Hydra), in a coordinated international effort to disrupt proliferation of malicious cybercrime services, dangerous drugs, and other illegal offerings available through the Russia-based site. The operation targeting Hydra was a collaborative initiative joined by the US Department of Justice, Federal Bureau of Investigations [sic], Drug Enforcement Administration, Internal Revenue Service Criminal Investigation, and Homeland Security Investigations. This action was enhanced by international cooperation with the German Federal Criminal Police, who today shut down Hydra servers in Germany and seized $25 million worth of bitcoin.”

The 451 Group published [direct PDF] a report detailing how the conflict in Ukraine may indirectly trigger more cybersecurity investment moving forward.

NeimanLab posted an article that looks at the impact the conflict has had on digital influencers in Russia.

Threat Intelligence Update

  • Microsoft disrupts APT28 infrastructure used in attacks against Ukraine

The endeavors to thwart cyberattacks against Ukrainian entities continue with Microsoft shutting down seven domains that were used as attack infrastructure for APT28 (AKA Fancy Bear). In addition to attacks against Ukraine, these domains were used in campaigns against US and EU government institutions that deal with foreign policy.

Source: Bleeping Computer

  • Anonymous leaks the information of three large Russian companies

Anonymous published three datasets including approximately 400,000 email messages allegedly belonging to three well-established Russian companies: Petrovsky Fort, Aerogas, and Forest. Aerogas’ clients include the largest state-owned oil and gas companies in Russia.

Source: Cyber News

April 7, 2022

ABC News is reporting that the US Senate has unanimously voted to suspend normal trade relations with Russia and ban the importation of its oil.

Bloomberg reports that Russia attempted to pay their due bond payments in rubles after foreign banks declined to process the owed ~$650 million (USD). The notes that are due have a 30-day grace period. If the situation continues past the due date, Russia will be in default of their sovereign debt.

According to The Seattle Times, the UN General Assembly has voted to suspend Russia from the world organization’s leading human rights body over allegations of “horrific rights violations” by Russian soldiers in Ukraine. The vote was 93-24 with 58 abstentions, significantly lower than the vote on 2 resolutions the assembly adopted last month demanding an immediate cease-fire in Ukraine, withdrawal of all Russian troops, and protection for civilians. Both of those resolutions were approved by at least 140 nations.

The Centre for Information Resilience provides a weekly “Eyes on Russia Report” update, in which they document and verify significant incidents related to Russian aggression toward Ukraine.

In Meta’s Q1 2022 Adversarial Threat Report [direct PDF link], the authors note that they have removed “a small network of 27 Facebook accounts, two Pages, three Groups, and four Instagram accounts for violating our policy against coordinated inauthentic behavior.” They go on to say that the network operated from Russia and Ukraine and targeted primarily Ukraine.

In another action detailed in the same report, Meta removed another Russian-homed network of nearly 200 accounts that were coordinating to falsely report individuals for various violations, including hate speech, targeting people in Ukraine and Russia.

Threat Intelligence Update

  • The Cyclops Blink botnet operation disrupted by the US

The US Federal Bureau of Investigation announced that it disrupted the operation of the Cyclops Blink botnet, operated by the Russian GRU-affiliated APT group, Sandworm. Cyclops Blink, the apparent successor to the VPNFilter malware, was removed from all identified Watchguard devices serving as its command and control servers. The US Attorney General stated that similar infrastructure was used to attack Ukrainian entities, and this botnet’s infrastructure was disrupted before it could be used.

Source: US Department of Justice

April 6, 2022

The Council on Foreign Relations has a podcast episode on “War in the Digital Age” and interviews Audrey Kurth Cronin, a distinguished professor at American University’s School of International Service. They discuss how technology, innovation, and social media are shaping Russia’s war in Ukraine and what it might mean for the future.

Intel issued a press release stating, “Effective immediately, we have suspended all business operations in Russia.” In its statement, the company goes on to say, “We are working to support all of our employees through this difficult situation, including our 1,200 employees in Russia.”

Foreign Affairs published a well-researched article titled “The Myth of the Missing Cyberwar,” noting — among other posits — that “all available evidence indicates that Russia has employed a coordinated cyber-campaign intended to provide its forces with an early advantage during its war in Ukraine.” We encourage time-strapped readers to, at a minimum, digest the “No Restraint” section that concludes the article.

The Washington Post reports that the US government and energy firms have closed ranks and are working together to shore up the collective cyber defenses of the industry in an effort to help prevent negative outcomes that could occur as the Ukraine war continues.

Threat Intelligence Update

  • Anonymous claims to hack Kremlin CCTV

Anonymous claimed that they gained access to the Kremlin CCTV system and published their live feeds on Twitter.

Source: @YourAnonTV via Twitter

  • Ukrainian cyber agencies warn of attempts to hack Telegram accounts

The CERT-UA and the Cyberpolice of Ukraine warned of threat actors sending messages with malicious links to Telegram sessions, in order to gain unauthorized access to the accounts and steal sensitive information. The activity is tracked as UAC-0094.

Source: gov.ua and CERT-UA

April 5, 2022

The Wall Street Journal notes that Ukrainian President Volodymyr Zelensky called for the removal of Russia from the UN Security Council after alleged war crimes, citing newly discovered atrocities that could be worse than those in Bucha.

According to CNN, the US will announce new sanctions on Russia Wednesday in coordination with allies from the Group of 7 and the European Union. An administration official said the sweeping package "will impose significant costs on Russia and send it further down the road of economic, financial, and technological isolation."

Fed Scoop reports that Gen. Paul Nakasone, Commander of the US Cyber Command, stated that the Command has been "integral to the nation’s response to this crisis since Russian forces began deploying on Ukraine’s borders last fall." He further noted that "we have provided intelligence on the building threat, helped to warn US government and industry to tighten security within critical infrastructure sectors, enhanced resilience on the DODIN (especially in Europe), accelerated efforts against criminal cyber enterprises and, together with interagency members, Allies, and partners, planned for a range of contingencies."

Threat Intelligence Update

  • Gamaredon attacks Ukrainian government organizations

The CERT-UA reported on a phishing campaign that was conducted by the Russian threat group Gamaredon (AKA UAC-0010), targeting Ukrainian government agencies. The phishing messages contained attachments with lures concerning the Russia-Ukraine conflict. These attachments eventually led to the download of an HTA file containing VBScripts that executed a powershell script (GammaLoad.PS1) to collect system data.

Source: CERT-UA

  • Anonymous leaks alleged personal information of Russian soldiers serving in Bucha

In response to the Russian brutal attack on Bucha, Anonymous claimed to leak the personal details of Russian military personnel serving in the 64 Motor Rifle Brigade and stationed in Bucha. The leak included names, ranks, and passport details.

Source: @Anonymous_Link via Twitter and Security Affairs

April 4, 2022

Lithuania announced it is “completely abandoning Russian gas imports.” Amber Grid, the Lithuanian gas transmission system operator, confirmed that as of April 2, 2022, the import of Russian gas for Lithuania's needs through the Lithuanian-Belarusian interconnection was equal to 0 MWh.

Business Insider reports that Miro, a $17.5B (USD) startup originally founded in Russia has closed its office in Russia (back in March) and is relocating employees to other regions.

There is an article in The Conversation, a nonprofit independent news organization that sources articles only from academic experts, on why cyberattacks have yet to play a significant role in Russia’s battlefield operations in Ukraine. The authors cite numerous cyberwarfare experts throughout the piece.

Threat Intelligence Update

  • UAC-0056 targets Ukrainian entities

Cybersecurity researchers reported on a new UAC-0056 activity targeting several Ukrainian entities, including the ICTV TV channel. The threat actors used spear-phishing email messages with malicious macro-embedded Excel documents. These were used to install the Elephant dropper and downloader, leading to the deployment of the GrimPlant and GraphSteel backdoors. The backdoors exfiltrated stolen data, including general system information, browser credentials, and WiFi information.

Source: Malwarebytes

  • Massive Yandex Food data leak exposes Russian security agents

Bellingcat published an analysis of the data that was leaked from Yandex Food at the beginning of March. It seems that the leak included the details of 58,000 users, including individuals connected to Russia’s Main Intelligence Directorate (GRU) and the country’s foreign military intelligence service. Yandex stated that the leak occurred as a result of an inside job and not a cyberattack.

Source: The Verge

  • Anonymous claims to breach the Russian Orthodox Church

Anonymous claimed to hack the Russian Orthodox Church’s charitable wing, leaking 15 GB of data, including around 57,000 email messages allegedly belonging to the church.

Source: Security Affairs

April 1, 2022

The Kiev Independent is reporting that Russia began a new military draft for and expects to amass 134,500 conscripts aged 18 to 27 by July 15, 2022.

According to the Wall Street Journal, most of Europe, Canada, Mexico, Japan, and South Korea will join the US in a bid to tame energy prices that have soared following Russia’s invasion of Ukraine.

Officials in Connecticut confirmed the successful distributed denial of service (DDoS) attack on Bradley International Airport’s website. Earlier in the week, the threat intelligence and mitigation firm Cyberknow posted a translated message left behind by hackers, claiming to support Russia, taking credit for the attacks.

Threat Intelligence Update

  • Viasat confirms to be attacked by the AcidRain wiping malware

The cyberattack on the KA-SAT satellite broadband network, owned by Viasat, seems now to be the work of a wiping malware dubbed AcidRain. The attack occurred on February 24, the day of the Russian invasion of Ukraine, and is believed to have caused severe communications disruptions in Ukraine and the surrounding areas. AcidRain is the seventh wiping malware to be documented in the attacks against Ukraine since the beginning of the year.

Source: Bleeping Computer

  • Anonymous claims to hack Russian investment firm Marathon Group

Anonymous continues to fulfill its threats to hit companies owned by Russian oligarchs. The hacktivist group claimed to breach the Russian investment company Marathon Group, owned by oligarch Alexander Vinokuro, leaking 62,000 email messages allegedly belonging to the company.

Source: Security Affairs

March 31, 2022

RIPE Labs, the research arm of the EU RIPE Network Coordination Centre, posted a deep-dive into the “Russian Sovereign Internet and Number Resources.” In it, they discuss the 2018 “Sovereign Internet” regulation enacted by the Kremlin and what impacts it started to have in 2021 as it was applied to internet name and number resources. Finally, they posit what this regulation might mean for the Russian internet space moving forward and what impacts it might have on the global internet.

Threat Intelligence Update

  • Anonymous puts pressure on Russian oligarchs

Anonymous leaked 5,500 email messages that were allegedly stolen from the Russian investment firm Thozis Corp, owned by the Russian oligarch Zakhar Smushkin. Some of the email messages contained sensitive information about deals and investments that were made by the company. The group stated that the attack's goal was to put pressure on the Russian oligarchs supporting the Russian economy.

Source: Security Affairs

March 30, 2022

Bloomberg reports that the world’s largest cement maker is divesting their Russian business and selling 3 factories.

The Wall Street Journal is reporting that the United Nations estimates the number of refugees fleeing the war in Ukraine to be over 4 million. They further report that the Biden administration is providing $500 million USD in budgetary aid to Ukraine to be used for expenses such as salaries and maintaining government services.

The Washington Post notes one NASA astronaut and 2 Russian cosmonauts landed safely in Kazakhstan after undocking from the International Space Station.

In response to the crisis in Ukraine, The Washington Post, The New York Times, and The Financial Times have each created Telegram channels where they are providing updates on the situation.

Threat Intelligence Update

  • The COLDRIVER threat group targets US and NATO entities

The Google's Threat Analysis Group (TAG) reported on 3 threat actors operating in Eastern Europe in the past 2 weeks. One of them is COLDRIVER, a Russian-based threat actor that initiated credential phishing campaigns against multiple entities siding with Ukraine, such as US NGOs and the NATO Centre of Excellence.

Source: Google Blog

  • AgainstTheWest hacker group turns its focus from Russia to China

The hacker group AgainstTheWest claimed to breach multiple Chinese organizations for supporting Russia. These include Alibaba Cloud, Amazon China, JD, Bank of China, All-China Federation of Trade Union, and others. The group also claimed they would soon release data stolen from the compromised companies.

Source: @AnonHacWordWide via Twitter

  • Threat actors attack the Russian Civil Aviation Authority

The Russian Civil Aviation Authority Rosaviatsiya was attacked by unnamed threat actors, erasing 65 TB of data and collapsing the government agency’s network. It was reported that at least some of the data had no backups and could not be restored. The attack was initially attributed to Anonymous – however, the group has denied any relation to the incident and stated that they do not engage in cyberterrorism.

Source: Cyber News and @EuromaidanPress via Twitter

March 29, 2022

Politico reports that Poland is no longer importing coal from Russia.

Bloomberg News is reporting that all Bloomberg entities, including their financial data and trading platforms, have suspended operations in Russia and Belarus.

The BBC notes that Ireland, Belgium, the Netherlands and the Czech Republic have issued expulsion orders to a total of 43 Russian embassy staffers.

Threat Intelligence Update

  • Ukraine brings down 5 disinformation bot farms

The Ukrainian Security Service (SSU) announced that since the beginning of the war, it has shut down 5 bot farms with over 100,000 fake social media accounts spreading fake news. The SSU attributed the actions to the Russian special services and their wish to destabilize the sociopolitical situation in Ukraine.

Source: Bleeping Computer

  • Anonymous leaks data allegedly from 2 Russian companies  

Anonymous claimed to have hacked the Russian construction company Rostproekt, leaking 2.4 GB of email messages allegedly belonging to the company. In addition, the group announced that it had hacked the Russian manufacturer MashOiL, stealing and publishing approximately 140,000 of the company's email messages.

Source: Security Affairs

March 28, 2022

According to Reuters, a senior US defense official has assessed that Ukrainian forces have retaken the town of Trostyanets, south of Sumy.

Ukraine’s parliament has amended its criminal code to allow penetration testing of its IT and communications networks in order to help the government find and fix vulnerabilities.

Politico took a deep dive into the complexities around the Biden administration’s “ominous warnings” about looming Russian cyberattacks.

Reuters is reporting that Russian forces have left the Ukrainian town of Slavutych, home to workers at the defunct nuclear plant of Chernobyl, after completing their task of surveying it.

Forbes reports that a "powerful" cyberattack has hit Ukraine's national telecommunications company, Ukrtelecom. Described as the most severe cyberattack since the start of the Russian invasion in February, it has taken down the company’s services across the country. Victor Zhora, deputy head of the State Service for Special Communications and Information Protection, confirmed that the government was investigating the attack. He said it's not yet known whether Ukrtelecom has yet been hit by a distributed denial of service (DDoS) attack or a deeper, more sophisticated intrusion.

BGPStream (a Cisco public network observation service) recorded a possible network route hijack of Twitter by a Russian-managed autonomous system provider RTComm starting at 2022-03-28 12:06:26 UTC. BGP prefix hijacks can be used to block access to services or intercept traffic to/from the IP addresses in the affected network range. RTComm has not released a statement on the reason for the suspected hijack.

Russia is slated to release their own state-controlled version of Instagram, dubbed Rossgram, by end of day Monday, March 28, 2022.

Threat Intelligence Update

  • Ukrainian Intelligence publishes the information of alleged Russian FSB officers

Ukraine's Main Intelligence Directorate released the names and identifiable information of more than 600 Russian Federal Security Service (FSB) officers operating in Europe. The list includes their names, date of birth, phone numbers, and other personal information.

Source: gur.gov.ua

  • NB65 claims to have hacked Russia's largest media corporation

The Anonymous-affiliated group NB65 claimed they hacked the All-Russia State Television and Radio Broadcasting Company (VGTRK), accusing them of spreading Putin's propaganda. In addition, the hackers allegedly stole 870 GB of data from the company to be released soon.

Source: Security Affairs

March 25, 2022

Reuters is reporting that Russia's defense ministry said on Friday that the first phase of its military operation in Ukraine was mostly complete and that it would focus on completely "liberating" eastern Ukraine's Donbass region.

According to Reuters, German business software giant SAP said on Thursday it would shut down its cloud operations in Russia, withdrawing further from the country after stopping sales in Russia earlier this month.

VICE is running a story that Lantern, a US-based digital infrastructure company, is rushing to lay the final pieces of an unbreakable network that the Kremlin won’t be able to take down. According to the reporter, Lantern says it has seen staggering growth inside Russia in the last four weeks for its app, which allows users to bypass Kremlin restrictions on accessing platforms like Facebook, Twitter, and Instagram. According to the story, the company is now building something even more robust, an internal peer-to-peer network that allows dissenting voices to continue to upload and share content even if the Kremlin pulls the plug on the internet.

The Financial Times takes a deep dive into Ukraine’s digital defenses as officials there work to fend off a constant barrage of cyberattacks from Russia.

The US Department of Justice (DoJ) has unsealed indictments charging 4 Russian nationals and Kremlin operatives with attempting, supporting, and conducting computer intrusions that together, in two separate conspiracies, targeted the global energy sector between 2012 and 2018. In total, the indictments reveal that these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries. In conjunction with the DoJ announcement, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert detailing the tactics, techniques, and procedures used by the 4 defendants.

Threat Intelligence Update

  • Anonymous continues to target Western companies dealing with Russia

After the recent attack on Nestlé, Anonymous hackers continue to fulfill their threats to hit Western companies dealing with Russia. The group launched a DDoS attack that shut down the websites of Auchan, Leroy Merlin, and Decathlon. The group’s tweets indicate they are continuing to target companies still doing business with Russia.  

Source: Security Affairs

March 24, 2022

NBC News reports that the US will place additional sanctions on more than 400 Russians and Russian entities, including the Duma and more than 300 of its members, along with more than 40 defense companies. They also note that the White House announced it would also allow as many as 100,000 Ukrainians to enter the US, with a focus on those who are most vulnerable. Finally, they reported that White House officials stated that the administration is prepared to offer more than $1 billion in additional funding toward humanitarian assistance and $11 billion over the next 5 years to address worldwide food security threats after the disruptions to the Russian and the Ukrainian agricultural industries.

The New York Times is reporting that the White House has assembled a team of national security officials to sketch out scenarios of how the US and its allies should respond if Russia unleashes his stockpiles of chemical, biological, or nuclear weapons. They further report that this team is also examining responses if Russia reaches into NATO territory to attack convoys bringing weapons and aid to Ukraine.

Wired is running a story following up on the February 24, 2022 Russian cyberattack on KA-SAT, a satellite-based internet service for a large portion of Europe. They report that Russia’s goal was to disrupt Ukraine’s drone control program, but Russia ended up impacting power generation and other services in many countries far removed from the battlefield. Thousands of organizations and households remain without satellite internet communications over a month after the initial attack.

MikroTik, a major global supplier of networking equipment, announced it stopped all shipments to and licensing in Russia and Belarus beginning in February and have donated more than €100,000 of networking devices to humanitarian efforts.

Threat Intelligence Update

  • Ukrainian organizations attacked by the DoubleZero wiper

The Computer Emergency Response Team of Ukraine (CERT-UA) warned against spear-phishing attacks targeting Ukrainian organizations and distributing the DoubleZero wiper. The attacks were attributed to the UAC-0088 threat group.

Source: Security Affairs

  • Anonymous hacks the Central Bank of Russia  

Anonymous claimed to compromise the Central Bank of Russia, allegedly stealing 35,000 files to be leaked in 48 hours.

Source: Security Affairs and Twitter

  • Russia bans Google News for spreading "unreliable information"

Russia's telecommunications regulator, Roskomnadzor, banned Google News and blocked access to its website for directing users to "unreliable information" about the Russia-Ukraine conflict. This decision follows the new Russian legislation forbidding the distribution of “Western propaganda” news on the war, as well as the ban of social media platforms, such as Facebook, Twitter, and Instagram, in the country.

Source: Bleeping Computer

March 23, 2022

The US Department of Justice announced the reestablishment of the Cross-Border Crime Forum with Canada. In it, officials noted that they “are working vigilantly to protect the cybersecurity of our critical infrastructure sectors given Russia’s further invasion of Ukraine. We also reiterated our commitment to work together through the G7+ REPO Task Force to locate and freeze virtual and physical assets of sanctioned Russian individuals and entities, and to forfeit the proceeds of kleptocracy or other crimes.”

Politico published an article taking a deep dive into the extended cyberwar actions of Russia (or, lack thereof). The fundamental takeaway from the piece is that no expert really understands why cyber has not had more focus, but the expectation is that this may change very soon.

CBS is reporting that the FBI said it has identified 140 Russian IP addresses that have engaged in “abnormal scanning activity” against the infrastructure of at least 23 US companies in the energy sector. They added that ​​the IP addresses are associated with prior attacks and "likely indicates early stages of reconnaissance, scanning networks for vulnerabilities for use in potential future intrusions.”

SC Media notes that the Department of Health and Human Services is urging provider organizations to review and bolster defenses to guard against possible fallout from the Russian invasion of Ukraine.

US Secretary of State Antony Blinken published a statement announcing that, “based on information currently available, the US government assesses that members of Russia’s forces have committed war crimes in Ukraine.”

Threat Intelligence Update

  • Fraudulent email messages impersonate fundraising for Ukraine

Action Fraud, the national fraud reporting center of the UK, published a warning against scam email messages pretending to raise money for the victims in Ukraine. The organization notes that these messages lead to malicious websites that steal the donors' money and personal information. Action Fraud listed the following measures on how to detect the scams:  

- Never click on the links or attachments in suspicious emails or respond to unsolicited messages asking for personal or financial details even if they are in the name of a charity.

- To donate online, type in the address of the charity website rather than clicking on a link.

- Be cautious when donating to an online fundraising page fake ones are often badly written or contain spelling mistakes.

Source: BBC News

March 22, 2022

In response to the announcements from the Biden administration yesterday, Rapid7 has provided “8 Tips for Securing Networks When Time Is Scarce” that are all actionable now, to help defenders can take to protect themselves

Reuters is reporting that the Kremlin has dismissed yesterday’s warning of potential Russian cyberattacks, stating that “the Russian Federation, unlike many Western countries, including the United States, does not engage in state-level banditry.”

National Security Advisor Jake Sullivan held a press briefing today on the Russia-Ukraine conflict. When asked if a cyberattack by Russia against a NATO member could trigger an Article 5 response, Sullivan referred to earlier statements indicating that NATO members would coordinate on a response if such an attack occurred. He did not add details as to the exact type of response. Furthermore, when asked by another reporter what type of attack would constitute a cyberattack, Sullivan responded that President Biden’s remarks yesterday indicate such attacks would have to be like those seen in mid-2021, such as disruptive ransomware attacks.

Threat Intelligence Update

  • Anonymous warns companies dealing with Russia, attacks Nestle

Anonymous has warned Western companies to immediately pull their business from Russia or get hacked. The group claims that it fulfilled its threats with an attack on Nestlé, leaking 10GB of allegedly stolen data, including email messages, user passwords, and customer information.

Source: Homeland Security Today and Twitter

March 21, 2022

Sky News — along with many other outlets — is reporting that the US ambassador was summoned by Russia's foreign ministry today and told that ties between the US and Russia are on the verge of being severed. They cited "unacceptable" comments by US President Joe Biden about Russia's Vladimir Putin. According to Sky News, “the ambassador said the remarks were ‘unacceptable ... unworthy of such a high-ranking statesman and put US-Russia relations on the brink of collapse.’”

President Biden delivered a statement reiterating warnings about potential cyberattacks coming from Russia and directed at the United States. The White House subsequently issued a new fact sheet urging organizations to act now to protect themselves from potential cyberattacks. According to the White House, the guidance notes specific areas of urgency:

​​- Mandate the use of multifactor authentication on your systems to make it harder for attackers to get onto your system;

- Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;

- Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;

- Back up your data and ensure you have offline backups beyond the reach of malicious actors;

- Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;

- Encrypt your data, so it cannot be used if it is stolen;

- Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and

- Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of CISA and the FBI, where they will find technical information and other useful resources.

Similarly, the Krebs-Stamos Group has made public another resource for organizations concerned with the current conflict. Their “Shields Up” report (which makes reference to CISA’s “Shields Up” resource) addresses one of the most pressing questions many leaders have: “What can a company do to enhance their security posture on short notice?"

The Verge is reporting that a Russian court upheld the Kremlin’s charge that Facebook/Meta has been engaged in “extremist activities.” The services will continue to be banned in Russia and Russian organizations and individuals have been prohibited from purchasing advertising on Instagram and Facebook. Trading in Meta shares is also prohibited, as is displaying Meta/Facebook/Instagram logos in public.

Threat Intelligence Update

  • Anonymous attacked a Russian pipeline company

Anonymous announced that they breached Omega, the R&D division of the Transneft oil company. The threat actors claimed to have stolen 79 GB of data from the Russian state-controlled company. The allegedly stolen data included email messages and their contents, such as invoices and product shipment information.

Source: Security Affairs

  • InvisiMole group targets Ukrainian state organizations

The Computer Emergency Response Team of Ukraine (CERT-UA) warned against phishing campaigns targeting Ukrainian organizations while spreading the LoadEdge backdoor. The phishing campaigns were attributed to the InvisiMole threat group (AKA UAC-0035), which is linked to the Russian APT Gamaredon.

Source: ZDNet

March 18, 2022

The Washington Post is reporting that some Russian businesses are filing trademark applications for new logos that mimic the design/style of American counterparts for companies that have ceased operations in Russia. They cite an example of the well-known “double arches” of the burger franchise, McDonald’s, having a virtually identical new twin with that of Dyadya Vanya (a local, Russian burger chain).

Threat Intelligence Update

  • RIPE NCC states they are fully compliant with recent EU sanctions on Russia

RIPE NCC, which oversees the allocation and registration of IP addresses and autonomous system numbers in Europe, the Middle East, and parts of Central Asia, issued a statement detailing their compliance with EU sanctions. It clarifies that they do not allocate new IPs and ASNs to any sanctioned persons or entities, while also freezing existing resources.

Source: RIPE NCC

  • Ukraine releases details of a hack on news agencies

Reportedly, the hack was performed by “Russian Federation’s hackers” and appears to be a defacement operation that included placing symbols banned in Ukraine on the agencies’ front pages. CIP mentioned no data was compromised as a result.

Source: DSTSZI

  • CISA, FBI warn of possible threats to US and SATCOM networks

The new advisory details a set of mitigations for critical-infrastructure organizations, SATCOM (satellite communication) network providers, and customers, following the current geopolitical situation. According to Reuters, the warning follows an investigation by Western intelligence agencies into the recent hack targeting the telecommunications firm Viasat.

Source: Reuters

March 17, 2022

Vladimir Putin warned he would cleanse Russia of the “scum and traitors” he accuses of working covertly for the US and its allies. He also said on Wednesday that Russia would achieve its goals in Ukraine and would not submit to what he called a Western attempt to achieve global dominance and dismember Russia.

The Russian news site Kommersant reported that on March 9, 2022, a meeting was held in the Ministry of Digitalization with the participation of companies operating with a significant amount of computing power: Sber, MTS, Oxygen, Rostelecom, Atom-Dates (a structure of Rosatom), Krok, and Yandex. The parties discussed the prospect of a shortage of data storage systems and servers necessary to ensure the operation of public digital resources. Estimates suggest there may be only two months of disk storage space left across major Russian businesses and government entities.

Threat Intelligence Update

  • Known npm package developer sabotages files in protest against Russia

A developer of the popular npm package "node-ipc" published malicious versions of the library in protest against the Russian invasion of Ukraine. The malicious versions overwrite and delete arbitrary files on user systems that are based in Russia and Belarus.

Source: Bleeping Computer

  • A deepfake video of Zelenskyy is removed by Facebook

Facebook deleted a deepfake video of Ukrainian President Zelenskyy asking Ukrainian soldiers to surrender. Meta, Facebook's parent company, stated that the video violated their policy against misleading manipulated media and therefore was removed.

Source: Bleeping Computer

March 16, 2022

Ukrainian President Volodymyr Zelenskyy delivered a virtual speech to US lawmakers on Wednesday, asking again specifically for a no-fly zone over Ukraine and for additional support.

The White House released a new fact sheet detailing an additional $800 million in security assistance to Ukraine.

Threat Intelligence Update

  • UAC-0056 targets Ukrainian entities

SentinelOne researchers reported that UAC-0056 targeted Ukrainian entities using a malicious Python-based package, masquerading as a Ukrainian language translation software. Once installed, the fake app deployed various malware, such as Cobalt Strike, GrimPlant, and GraphSteel.

Source: Sentinel One

  • A hacker was caught routing calls to Russian troops

The Security Service of Ukraine claimed to have arrested a hacker that helped deliver communications from within Russia to the Russian troops operating in the Ukrainian territory. The hacker also sent text messages to

Ukrainian security officers and civil servants, exhorting them to surrender.

Source: The Verge

March 15, 2022

The Ukrainian Ministry of Defense leaked documents of a Russian nuclear power plant. This may be the first-ever instance of a hack-and-leak operation to weaponize the disclosure of intellectual property to harm a nation.

Researchers at INFOdocket, a subsidiary of Library Journal, have created a compendium of briefings, reports, and updates about the conflict in Ukraine from three research organizations: Congressional Research Service (CRS), European Parliament Research Service (EPRS), and the UK House of Commons Library. The resource will be updated as each of the three organizations releases relevant new content.

The Wall Street Journal is reporting that Russian prosecutors have issued warnings to Western companies in Russia, threatening to arrest corporate leaders there who criticize the government or to seize assets of companies that withdraw from the country.

Russia may default on $117 million (USD) in interest payments on dollar-denominated bonds due to Western sanctions, the first foreign debt default by Russia since 1918.

Reuters is reporting that Russia's delegation to the Parliamentary Assembly of the Council of Europe (PACE) is suspending its participation and will not take part in meetings.

CNN reports that Russia has imposed sanctions against US President Joe Biden, his son, Secretary of State Antony Blinken, other US officials, and “individuals associated with them,” the Russian Foreign Ministry said in a statement on Tuesday.

Threat Intelligence Update

  • Russian state-sponsored cyber actors access network misconfigured with default MFA protocols

CISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527), to run arbitrary code with system privileges.

Source: CISA

  • Fake antivirus updates used to deploy Cobalt Strike in Ukraine

Ukraine's Computer Emergency Response Team is warning that threat actors are distributing fake Windows antivirus updates that install Cobalt Strike and other malware. The phishing emails impersonate Ukrainian government agencies offering ways to increase network security and advise recipients to download "critical security updates," which come in the form of a 60 MB file named "BitdefenderWindowsUpdatePackage.exe."

Source: BleepingComputer/CERT-UA

  • A novel wiper targets Ukrainian entities

Cybersecurity researchers observed the new CaddyWiper malware targeting Ukrainian organizations. Once deployed, CaddyWiper destroys and overwrites the data from any drives that are attached to the compromised system. Despite being released in close proximity to other wiping malware targeting Ukraine, such as HermeticWiper and IsaacWiper, CaddyWiper does not share any significant code similarities with them and appears to be created separately.

Source: Bleeping Computer

  • German Federal Office for Information Security agency issues an alert for Russian antivirus software Kaspersky

The German Federal Office for Information Security agency (BSI) issued an alert urging its citizens to replace Kaspersky antivirus software with another defense solution, due to alleged ties to the Kremlin. The agency suggested Kaspersky could be used as a tool in the cyber conflict between Russia and Ukraine.

Source: BSI

March 14, 2022

The EU-based NEXTA media group has reported that Russia is starting to block VPN services.

Bermuda’s aviation regulator said it is suspending certification of all Russian-operated airplanes registered in the British overseas territory due to international sanctions over the war in Ukraine, in a move expected to affect more than 700 planes.

The Washington Post reported that Federal Security Service (FSB), Russian Federalnaya Sluzhba Bezopasnosti, agents approached Google and Apple executives with requests to remove apps created by activist groups.

Amnesty International said Russian authorities have blocked their Russian-language website.

Threat Intelligence Update

  • Anonymous claims to hack Rosneft, German subsidiary of Russian energy

Anonymous claimed to hack the German branch of the Russian energy giant Rosneft, allegedly stealing 20 TB of data. The company systems were significantly affected by the attack, although there currently seems to be no effect on the company's energy supply.

Source: Security Affairs

  • Russia blocks access to Instagram nationwide

Russia's Internet moderator Roskomnadzor decided to block Instagram access in the country, following Meta's decision to allow "calls for violence against Russian citizens." The federal agency gave Instagram users 48 hours to prepare and finally completed the act on March 13. The blocking of Instagram follows the former ban of Facebook and Twitter in Russia last week.

Source: Cyber News

March 11, 2022

President Biden, along with the European Union and the Group of Seven Countries, moved to revoke “most favored nation” trade status for Russia, deny borrowing privileges at multilateral financial institutions, apply sanctions to additional Russian elites, ban export of luxury goods to Russia, and ban US import of goods from several signature sectors of Russia’s economy.

Threat Intelligence Update

  • Amid difficulties with renewing certificates, Russia has created its own trusted TLS certificate authority

Signing authorities based in countries that have imposed sanctions on Russia can no longer accept payments for their services, leaving many sites with no practical means to renew expiring certificates. As a result, the Russian Ministry of Digital Development announced the availability of domestic certificates, replacing expired or revoked foreign certificates.

Source: Bleeping Computer

  • Triolan, a major Ukrainian internet service provider, was hacked — twice

Triolan, a Ukraine-based ISP with more than half a million subscribers, was reportedly hacked initially on February 24th, with a second attack hitting on March 9th. The company reported that the threat actors managed to hack into key components of the network, some of which couldn’t be recovered.

Source: Forbes

March 10, 2022

By order of President Putin, Russia’s Economic Development Ministry has drafted a bill that would effectively nationalize assets and businesses "abandoned" in Russia by foreign corporations. Management of these seized assets will be entrusted to the VEB.RF state development corporation and to Russia’s Deposit Insurance Agency.

Russia has effectively legalized patent theft from anyone affiliated with countries “unfriendly” to it, declaring that unauthorized use will not be compensated. The Russian news agency Tass has further reporting on this, as does the Washington Post.

Goldman Sachs Group Inc announced it was closing its operations in Russia, becoming the first major Wall Street bank to exit the country following Moscow's invasion of Ukraine.

UK Foreign Secretary Liz Truss announced a full asset freeze and travel ban on seven of Russia’s wealthiest and most influential oligarchs, whose business empires, wealth, and connections are closely associated with the Kremlin.

US Vice President Kamala Harris announced nearly $53 million in new humanitarian assistance from the United States government, through the US Agency for International Development (USAID), to support innocent civilians affected by Russia’s invasion of Ukraine.

The International Atomic Energy Agency (IAEA) provided an update on the situation at the Chernobyl Nuclear Power Plant. The IAEA Director General said that the Agency is aware of reports that power has now been restored to the site and is looking for confirmation. At the same time, Ukraine informed them that today it had lost all communications with the facility. The IAEA has assured the international community that there has been “no impact on essential safety systems.”

Threat Intelligence Update

  • New malware variant targeting Russia named RURansom

RURansom is a malware variant that was recently discovered and appears to be targeting Russia. While it was initially suspected of being a ransomware, further analysis suggests it is actually a wiper. So far, no active non-Russian targets have been identified, likely due to the malware targeting specific entities.

Source: TrendMicro

Available in Threat Library as: RURansom

  • Kaspersky source code leak seems to be just a collection of publicly available HTML files

The hacking group NB65 claimed on social networks to have leaked source code from the Russian antivirus firm Kaspersky. However, it appears that the leaked files are nothing more than a long list of HTML files and other related, publicly available web resources.

Source: Cybernews

  • Anonymous claims to hack Roskomnadzor, a Russian federal agency

Hacktivist group Anonymous claims to have breached Roskomnadzor, a Russian federal agency responsible for monitoring, controlling, and censoring Russian mass media, leaking over 360,000 (817.5 GB) files. Based on the report, the leak contains relatively recent censored documents, dated as late as March 5, and demonstrates Russia’s attempts to censor media related to the conflict in Ukraine.

Source: @AnonOpsSE via Twitter

March 9, 2022

Public policy: Citing concerns over rising cybersecurity risks related to the Russia-Ukraine conflict, the US is poised to enact new cyber incident reporting requirements. The Cyber Incident Reporting for Critical Infrastructure Act of 2022:

  • Will require critical-infrastructure owners and operators to report cybersecurity incidents to CISA within 72 hours of determining the incident is significant enough that reporting is required;
  • Will require critical infrastructure owners and operators to report ransomware payments to CISA within 24 hours; and
  • Is intended to give federal agencies more insight into attack trends and potentially provide early warnings of major vulnerabilities or attacks in progress before they spread.

The Bank of Russia established temporary procedures for foreign cash transactions, suspending sales of foreign currencies until September 9, 2022. Foreign currency accounts are limited to withdrawals up to $10,000 USD.

The Financial Crimes Enforcement Network (FinCEN) is alerting all financial institutions to be vigilant against efforts to evade the expansive sanctions and other US-imposed restrictions implemented in connection with the Russian Federation’s further invasion of Ukraine.

The Pentagon dismissed Poland’s offer to transfer MIG-29 fighter jets to the United States for delivery to Ukraine, stating they did not believe the proposal was “tenable.”

Threat Intelligence Update

  • Multiple hacking groups target Ukrainians and other European allies via phishing attacks

Several threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, have launched a large phishing campaign against Ukraine, Poland, and other European entities amid Russia's invasion of Ukraine.

Source: The Hacker News

Available in Threat Library as: APT28 (Fancy Bear), Ghostwriter, Mustang Panda

  • The Conti Ransomware group resumes activity following leaks

The Conti Ransomware group appears to have made a comeback following the leak of its internal chats last week. On March 9, Rapid7 Threat Intelligence observed renewed activity on Conti’s onion site, and CISA released new IOCs related to the group on their Conti alert page.

Source: CISA

Available in Threat Library as: Conti

  • The Belarusian group UNC1151 targets Ukrainian organizations using MicroBackdoor malware

The Ukrainian government has reported on a continuous cyberattack on state organizations of Ukraine using malicious software Formbook.

Source: Ukrainian CERT

Available in Threat Library as: UNC1151

March 8, 2022

The US announced a ban on imports of Russian oil, gas, and other energy products. New US investments in the Russian energy sector are also restricted. The UK announced it would phase out Russian oil over 2022.

The International Atomic Energy Agency published a statement noting that remote data transmission from monitoring systems at Ukraine’s mothballed Chernobyl nuclear power plant has been lost. No network data has been observed by internet monitoring companies since March 5, 2022.

Chris Chivvis, a senior fellow and director of the American Statecraft Program at the Carnegie Endowment for International Peace, has provided an assessment of two likely trajectories in the Russia-Ukraine conflict.

Twitter announced they have made their social network available on the Tor Project onion service, which will enable greater privacy, integrity, trust, and availability to global users.

The Minister of Foreign Affairs of the Republic of Poland announced they are ready to deploy — immediately and free of charge — all their MIG-29 jets to the Ramstein Air Force base and place them at the disposal of the US government.

Lumen announced they are immediately ceasing their limited operations in Russia and will no longer provide services to local Lumen enterprise customers.

McDonald’s announced they have temporarily closed 850 restaurants in Russia in response to Russia’s attack on Ukraine.

Starbucks has announced they will be suspending all business in Russia in response to Russia’s attack on Ukraine.

Threat Intelligence Update

  • 52 US organizations were impacted by RagnarLocker ransomware, including critical infrastructures

The FBI reported that as of January 2021, 52 US-based organizations, some related to critical infrastructure, were affected by RagnarLocker ransomware. The industries affected include manufacturing, energy, financial services, government, and information technology. The malware code excludes execution on post-Soviet Union countries, including Russia, based on a geolocation indicator embedded in its code.

Source: FBI FLASH  

Available in Threat Library as: Ragnar Locker

  • US energy companies were attacked prior to the Russian invasion to Ukraine

During a two-week blitz in mid-February, hackers received access to dozens of computers belonging to multiple US-based energy companies, including Chevron Corp., Cheniere Energy Inc., and Kinder Morgan Inc. The companies were attacked in parallel to the Russian invasion of Ukraine.

Source: Bloomberg

  • European officials were hacked by Chinese threat actors amid the conflict in Ukraine

According to Google and Proofpoint, a cyberattack was launched by the Chinese hacking group Mustang Panda and its affiliated group RedDelta, which usually targets Southeast Asian countries. The groups managed to gain access to an unidentified European NATO-member email account and spread malware to other diplomatic offices.

Source: Forbes

Available in Threat Library as: Mustang Panda

  • #OpAmerica: DEVLIX_EU, a pro-Russian hacktivist group, and its affiliates claim to have gained access to terabytes of US sensitive data

The group claims they have obtained access to 92TB of data related to the US Army. According to the group, they also hacked into four of the biggest “hosts” in the US and 49 TB of data. As of now, there is no real evidence for the attack provided by the group.

Source: @Ex_anon_W_hater via Twitter

March 7, 2022

Netflix, KPMG, PwC, and EY have cut ties with local units in Russia, and Danone suspended investments in Russia.

The Russian government has published a list of foreign states that have committed “unfriendly actions” against “Russia, Russian companies, and citizens.” Countries listed include Australia, Albania, Andorra, the United Kingdom, the member states of the European Union, Iceland, Canada, Liechtenstein, Micronesia, Monaco, New Zealand, Norway, Republic of Korea, San Marino, North Macedonia, Singapore, USA, Taiwan, Ukraine, Montenegro, Switzerland, and Japan.

The Russian government’s Ministry of Digital issued orders for all government websites to use only domestic hosting providers and DNS. They further instructed agencies to discontinue using non-Russian third-party tooling, such as Google Analytics.

TikTok is suspending content from Russia in response to the country cracking down on reporting about the invasion of Ukraine.

Threat Intelligence Update

  • Anonymous-affiliated threat actor claims to have hacked and shut down water infrastructure in Russia

The AnonGhost group claims to have hacked and shut down two Russian SCADA water supply systems impacting the Russian cities: Volkhov, Boksitogorsk, Luga, Slantsevsky, Tikhvinsky, and Vyborg.

Source: @darkowlcyber via Twitter

Available in Threat Library as: AnonGhost (for Threat Command customers who want to learn more)

  • Anonymous claims to hack Russian TV services to broadcast footage of the war with Ukraine

Russian live TV channels Russia 24, Channel One, and Moscow 24, as well as Wink and Ivi, Netflix like services, have been hacked to broadcast footage of the war with Ukraine according to Anonymous.

Source: @YourAnonNews via Twitter

March 4, 2022

The NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) announced that Ukraine will join the group as a “contributing participant,” indicating that “Ukraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises, and training.”

Ukraine’s deputy chief of their information protection service noted in a Friday briefing that over 400,000 individuals have volunteered to help a crowdsourced Ukrainian government effort to disrupt Russian government and military targets.

Threat Intelligence Update

  • Russia blocked access to social media platforms and Western news sites

Russia has prevented its residents access to information channels, including Facebook, Twitter, Western news sites such as the BBC, and app stores. With that, the BBC is now providing access to its website via the Dark Web and has reinstated their BBC shortwave broadcast service.

Source: Reuters

  • Anonymous-affiliated threat actor hacked and leaked data from the Russian Federal State Budgetary Institution of Science

The Russian Federal Guard Service of the Russian Federation was hacked by Anonymous. The hacker published leaked names, usernames, emails, and hashed passwords of people from the institution.

Source: @PucksReturn via Twitter

  • Anonymous takes down multiple Russian government websites

Anonymous claims responsibility for the takedown of a large number of Russian Government websites including one of the main government websites, gov.ru. Most of the websites are still down as of Friday afternoon, March 4.

Source: @Anonynewsitaly via Twitter

March 3, 2022

Additional sanctions: The US Treasury Dept. announced another round of sanctions on Russian elites, as well as many organizations it characterized as outlets of disinformation and propaganda.

Public policy: The Russia-Ukraine conflict is adding momentum to cybersecurity regulatory actions. Most recently, that includes

  • Incident reporting law: Citing the need to defend against potential retaliatory attacks from Russia, the US Senate passed a bill to require critical infrastructure owners and operators to report significant cybersecurity incidents to CISA, as well as ransomware payments. The US House is now considering fast-tracking this bill, which means it may become law quite soon.
  • FCC inquiry on BGP security: “[E]specially in light of Russia’s escalating actions inside of Ukraine,” FCC seeks comment on vulnerabilities threatening the Border Gateway Protocol (BGP) that is central to the Internet’s global routing system.

CISA threat advisory: CISA recently reiterated that it has no specific, credible threat against the U.S. at this time. It continues to point to its Shields Up advisory for resources and updates related to the Russia-Ukraine conflict.

Threat Intelligence Update

  • An Anonymous-affiliated hacking group claims to have hacked a branch Russian Military and Rosatom, the Russian State Atomic Energy Corporation.

The hacktivist group Anonymous and its affiliate have hacked and leaked access to the phone directory of the military prosecutor's office of the southern military district of Russia, as well as documents from the Rosatom State Atomic Energy Corporation.

Available in Threat Library as: OpRussia 2022 (for Threat Command customers who want to learn more)

  • A threat actor supporting Russia claims to have hacked and leaked sensitive information related to the Ukrainian military.

The threat actor “Lenovo” claims to have hacked a branch of the Ukrainian military and leaked confidential information related to its soldiers. The information was published on an underground Russian hacking forum.

Source: XSS forum (discovered by our threat hunters on the dark web)

  • An Anonymous hacktivist associated group took down the popular Russian news website lenta.ru

As part of the OpRussia cyber-attack campaign, an Anonymous hacktivist group known as “El_patron_real” took down one of the most popular Russian news websites, lenta.ru. As of Thursday afternoon, March 3, the website is still down.

Available in Threat Library as: El_patron_real (for Threat Command customers who want to learn more)

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.