Chaos Ransomware Aligns with Russia

May 24, 2022

Chaos Ransomware Aligns with Russia

Industry: N/A | Level: Strategic | Source: Fortinet

Amongst notable ransomware groups taking sides with Russia in the Ukraine conflict, Chaos appears to have joined the list as identified by Fortinet. The indication is based on the display message Chaos leaves when encryption has completed, speaking negatively of the Ukraine government. The arrival vector was not determined however, is likely to have come from an email or user browsing a forum post. The malware used by Chaos appears to be new, having compiled data of May 16th, 2022. The variant investigated by Fortinet is identified as a potential file destroyer as the attackers did provide options for recovery to the affected files and have deleted shadow copies from impacted workstations.

Hive0117 Phishing Campaigns

May 03, 2022

Hive0117 Phishing Campaigns

Industry: Electronic, Industrial, Telecommunication | Level: Strategic | Source: SecurityIntelligence

Security intelligence from IBM Security X-Force shared research, from tracking financially motivated threat group, Hive0117’s latest phishing campaigns. Identified in February 2022, the campaign targets sectors in electronic, industrial, and telecommunications to deploy DarkWatchman, a remote access trojan (RAT). The email campaigns masquerade as communication from the Russian Government’s Federal Bailiffs Service, targeting company leaders in Lithuania, Estonia, and Russia. Activity from this campaign doesn’t appear to be related to the Russia and Ukraine conflict. The motive is suspected to “enable illegal access to numerous distributed clients and end-users” by compromising telecommunication providers and their respective suppliers.

Connecticut Airport Hit with Cyberattack

April 05, 2022

Connecticut Airport Hit with Cyberattack

Industry: Aviation | Level: Strategic | Source: NewsWeek

Disclosed by CyberKnow a situational awareness service and the Connecticut Airport Authority’s a cyberattack that occurred on Tuesday, March 29th, 2022 impacted the website for Bradley International Airport, located in Windsor Locks, Connecticut. The attackers left messages on the website with snippets, translated by CyberKnow, implicating the attack is in response to the Russia and Ukraine conflict. Messages left includes “when the supply of weapons to Ukraine stops, attacks on the information structure of your country will instantly stop,” along with the statement “America, no one is afraid of you.” Currently, the website is available, and reported by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) there’s no evidence of a data breach. Although CyberKnow attributed the attack to the Russian threat actor group, Killnet the hackers associated with the attack remain undetermined.

Telegram Fuels Cyber Communication

March 25, 2022

March 3rd, 2022: Telegram Fuels Cyber Communication

Industry: N/A | Level: Strategic | Source: Check Point

Research from Check Point has identified an increase in Telegram groups during the Russia and Ukraine conflict. Groups assembled, stand on both sides of the conflict with anti-Russian groups as well as mischievous users creating fraudulent Ukrainian support groups. Check Point’s research insight shares, “since the beginning of the war, we have seen tens of groups being created daily. Some groups boast over 250,000 users. CPR estimates that about 23% of the groups observed on Telegram attempt to unite hackers, IT professionals, and other IT “fans” to attack Russian targets in cyberspace. These groups are used to coordinate the attack, decide on targets and share results, even offering to help each other towards the goal.” From reports, hackers on both sides have leveraged DDoS attacks, with anti-Russian groups on Telegram observed to specifically call out particular Russian sites to DDoS.

White House Statement to Harden Cybersecurity

March 25, 2022

March 22nd, 2022: White House Statement to Harden Cybersecurity

Industry: Critical Infrastructure Security | Level: Strategic | Source: WhiteHouse.gov

United States President, Joe Biden, continues to emphasize the importance of active vigilance for cyber activity given the ongoing conflict between Russia and Ukraine. The warning is provided from a White House statement, “I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.” Actions taken to secure cyber defenses have included the implementation of additional cybersecurity measures for the Federal Government and various critical infrastructure sectors. Follow alerts and guidance from agencies for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to best be kept organized and informed.

Miratorg Agribusiness Holding – Ransomware Attack

March 25, 2022

March 22nd, 2022: Miratorg Agribusiness Holding – Ransomware Attack

Industry: Producer & Supplier | Level: Strategic | Source: BleepingComputer

A ransomware attack using Windows BitLocker has hit Miratorg Agribusiness Holding, a meat supplier based in Moscow. The story reported by BleepingComputer believe the attack was conducted for “sabotage and not financial” with a focus of the attack against “VetIS, a state information system used by veterinary services and companies engaging in the field, making it likely a supply chain compromise.” Additionally, a machine translated statement from the company paints the attack as hostility from the West in regards to the Russia and Ukraine conflict “Probably, this incident is a manifestation of the informational and economic “total war” that the collective West unleashed against Russia. We are pushed to this assumption by the fact that during the entire existence of VetIS (more than 10 years) and tens of thousands of Russian and foreign software systems integrated with it, this has never happened.” Miratorg Agribusiness is working to restore business services.

German Government Warns Usage of Kaspersky AV

March 22, 2022
German Government Warns Usage of Kaspersky AV
Industry: N/A | Level: Strategic | Source: BleepingComputer

In a bulletin released by the German Federal Office for Information Security (BSI), the government entity advises against the use of Kaspersky’s antivirus software in favor of “alternative products.” The trust and reliability of the product are brought into question given the conflict between Russia and Ukraine, with any relationship the company may have with the Russian government. As the service operates in real-time and in the cloud, various technical attributes are potentially at risk. BSI offers the following for consideration “extensive system authorizations and, due to the system (at least for updates), must maintain a permanent, encrypted and non-verifiable connection to the manufacturer’s servers. Therefore, trust in the reliability and self-protection of a manufacturer as well as his authentic ability to act is crucial for the safe use of such systems. If there are doubts about the reliability of the manufacturer, virus protection software poses a particular risk for the IT infrastructure to be protected.”

Malware “Liberator” Targets Ukraine

March 18, 2022

March 10th, 2022: Malware “Liberator” Targets Ukraine

Industry: N/A | Level: Strategic | Source: CiscoTalos

Cybercriminals are taking advantage of sympathizers and supporters of the Russia and Ukraine conflict. There have been observed fraudulent donation schemes and phishing emails taking advantage of the crisis. The latest as reported by Cisco Talos infostealer malwar. Liberator, is being distributed to Ukraine sympathizers under the guise of a DDoS tool to target Russia. The malware is distributed through Telegram targeting members of the Ukraine IT Army. Cisco Intelligence identifies the threat actor associated with the activity has been active since November 2021 distributing various types of information stealers and are taking advantage of the crisis.