Exclusive: Pro-Russia group ‘Cyber Spetsnaz’ is attacking government agencies

Resecurity, Inc. (USA) has identified an increase in activity within hacktivist groups conducted by a new group called “Cyber Spetsnaz”.

Resecurity, Inc. (USA) has identified an increase in activity within hacktivist groups, they’re leveraging current geopolitical tensions between the Ukraine and Russia to perform cyber-attacks. Following the attacks of the Killnet Collective, the group responsible for the attacks against major government resources and law enforcement, a new group has been identified called “Cyber Spetsnaz”. The actors are positioning themselves as an elite cyber offensive group targeting NATO infrastructure and performing cyberespionage to steal sensitive data.

Starting May 24, the group calling themselves “Cyber Spetsnaz” announced the launch of a new campaign “Panopticon” which aimed to recruit 3,000 volunteer cyber offensive specialists willing to participate in attacks against the European Union and the Ukrainian government institutions including Ukrainian companies.

Around April time, “Cyber Spetsnaz” built one its first divisions called “Zarya”, they looked for experienced penetration testers, OSINT specialists, and hackers:

Around this time the group performed one of their first coordinated attacks against NATO. Prior to that, “Cyber Spetsnaz” members have been distributing domains assigned to the NATO infrastructure, by doing so they could plan an effective attack. The actor shared a list of NATO resources and a comprehensive Excel file.

On June 2nd, the group created a new division called “Sparta”. The responsibility of the new division includes “cyber sabotage”, disruption of Internet resources, data theft and financial intelligence focused on NATO, their members and allies. Notably, “Sparta” outlines this activity as a key priority today and confirms the newly created division is an official part of “Killnet Collective” group.

Based on the description, the actors call themselves “hacktivists”, however, it’s not yet clear if the group has any connection to state actors. Sources interviewed by Security Affairs interpreted this activity with high levels of confidence to be state-supported. Interestingly, the name “Sparta” (in context of the current Ukrainian war) is related to the name of a unit from the Donetsk People’s Republic (DNR).

Besides proprietary tools, they’re leveraging MHDDoS, Blood, Karma DDoS, Hasoki, DDoS Ripper and GoldenEye scripts to generate malicious traffic on Layer 7 which may impact the availability of WEB resources.

The group performed cyber-attacks against 5 logistic terminals in Italy (Sech, Trieste, TDT, Yilprort, VTP) and several major financial institutions too. “Phoenix” coordinated its activities with another division called “Rayd” who previously attacked government resources in Poland including the Ministry of Foreign Affairs, Senate, Border Control and the Police. Other divisions involved in the DDoS attacks included “Vera”, “FasoninnGung”, “Mirai”, “Jacky”, “DDOS Gung” and “Sakurajima” who previously attacked multiple WEB-resources in Germany. 

According to Resecurity, such hacktivist campaigns typically have the goal to orchestrate certain information operations rather than a real cyber-attack that disrupts networks or the availability of critical resources. Cybersecurity specialists should be especially careful with attribution, as in some cases such activity leads to provocations and purposely generated operations.

Based on the observed victims and close collaboration with several impacted organizations, the attacks primarily focused on the exploitation of poorly configured WEB servers and short-term disruptions. Proper hardening and implementation of WAF, along with DDoS protection may preemptively resolve the issue, as the total network attack pool of unique sources may be exhausted relatively quickly. The logged sources of attacks showed how the attackers are actively using spoofed IP addresses and the deployment of tools on compromised IoT devices and hacked WEB resources.

Ukraine’s main cybersecurity incident response team released a list of the five most persistent hacking groups and malware families attacking Ukraine’s critical infrastructure. Hostile hacking groups are exploiting Russia’s invasion of Ukraine to carry out cyberattacks designed to steal login credentials, sensitive information, money and more from victims around the world.

According to cybersecurity researchers at Google’s Threat Analysis Group (TAG), government-backed hackers from Russia, China, Iran and North Korea, as well as various unattributed groups and cyber-criminal gangs, are using various themes related to the war in Ukraine to lure people into becoming victims of cyberattacks.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cyber Spetsnaz)

[adrotate banner=”5″]

[adrotate banner=”13″]