Category Archives: Cyber warfare

Microsoft sheds light on a year of Russian hybrid warfare in Ukraine

Russia-linked threat actors targeted at least 17 European nations in 2023, and 74 countries since the start of the invasion of Ukraine.

Microsoft revealed that Russia-linked threat actors targeted at least 17 European nations between January and mid-February 2023. According to a report published by the IT giant, the state-sponsored hackers have targeted 74 countries since the start of the invasion of Ukraine. The cyber espionage operations aimed at government and defense-related organizations in Central and Eastern Europe and the Americas.

“Between January and mid-February 2023, Microsoft threat intelligence analysts have found indications of Russian threat activity against organizations in at least 17 European nations, with the government sector the most targeted.” reads the report published by Microsoft. “While these actions are most likely intended to boost intelligence collection against organizations providing political and material support to Ukraine, they could also, if directed, inform destructive operations.”

The report also states that the Russia-linked APT group IRIDIUM appears to be preparing for a renewed destructive campaign. The group could target Ukraine with destructive malware such as Foxblade and Caddywiper. The experts also reported that as of late 2022, the state actor may also have been testing additional malware with similar capabilities in destructive attacks on organizations outside Ukraine that serve key functions in Ukraine’s supply lines.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper.

The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called “Cyclops Blink” dismantled by the US government in April.

The most targeted countries since February 2022 are the United States (21%), followed by Poland (10%) and the UK (9%).  The most targeted sectors outside Ukraine since Feb 2022 are government, IT/communications, and Think Tank/NGO.

“Within the 74 countries targeted by Russian threat actors between February 23, 2022 and February 7 of this year, Russian threat actors were most interested in government and IT sector organizations, just as they were in Ukraine. Several actors compromise IT firms to exploit trusted technical relationships and gain access to those firms’ clients in government, policy, and other sensitive organizations.” continues the report.

Microsoft reported that common tactics and techniques adopted by Russia-linked actors to breach the target networks have included the exploitation of internet-facing applications, backdoored pirated software, and ubiquitous spearphishing.

“Should Russia suffer more setbacks on the battlefield, Russian actors may seek to expand their targeting of military and humanitarian supply chains by pursuing destructive attacks beyond Ukraine and Poland. These possible cyberattacks, should the last year’s pattern continue, may incorporate newer destructive malware variants as well.Should Russia suffer more setbacks on the battlefield, Russian actors may seek to expand their targeting of military and humanitarian supply chains by pursuing destructive attacks beyond Ukraine and Poland.” concludes the report. “These possible cyberattacks, should the last year’s pattern continue, may incorporate newer destructive malware variants as well.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

Polish intelligence dismantled a network of Russian spies

Polish intelligence dismantled a cell of Russian spies that gathered info on military equipment deliveries to Ukraine via the EU member.

Polish counter-intelligence has dismantled a cell of Russian spies that gathered information on the provisioning of military equipment to Ukraine via the EU member.

“The ABW counter-intelligence agency has arrested nine people suspected of working for the Russian secret service,” Poland’s Interior Minister Mariusz Kaminski told reporters. “The suspects had been conducting espionage activities against Poland and preparing acts of sabotage on behalf of Russian intelligence services.”

The suspects are “foreigners from across Poland’s eastern border,” Kaminski added.

Polish Defense Minister Mariusz Blaszczak also confirmed that the network has been dismantled by the country’s counter-intelligence.

Polish authorities charged six suspects with espionage and participation in an organized criminal group. The other three individuals arrested by the authorities were still being questioned. The member of the spy network received regular payment from the Russian secret services.

Kaminski also added that the cell was planning acts of sabotage to interfere with the delivery of military equipment and aid to Ukraine. The group was also involved in carrying out propaganda activity to destabilize Polish-Ukrainian relations as well as fomenting anti-NATO sentiment in Poland.

“The suspects had also been preparing acts of sabotage meant to paralyze the delivery of military equipment, arms, and Ukraine aid,” Kaminski declared.

The agents of the Polish Internal Security Agency ABW seized electronic equipment and GPS transmitters that once installed on trains carrying aid to Ukraine allowed Russian intelligence to track the shipments.

Local media, such as the Polish radio station RMF, reported that the spies installed hidden cameras on important railway routes and junctions, recording and transmitting data on traffic.

The Polish intelligence fears sabotage operations against railroads and critical infrastructure involved in the provisioning of military equipment to Ukraine.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Polish intelligence)

Russia-linked APT29 abuses EU information exchange systems in recent attacks

Russia-linked APT29 group abused the legitimate information exchange systems used by European countries to target government entities.

Russia-linked APT29 (aka SVR groupCozy BearNobelium, and The Dukes) was spotted abusing the legitimate information exchange systems used by European countries in attacks aimed at governments.

In early March, BlackBerry researchers uncovered a new cyber espionage campaign aimed at EU countries. The hackers targeted diplomatic entities and systems transmitting sensitive information about the region’s politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.

The attack chain commences with a spear-phishing email containing a weaponized document, which contains a link leading to the download of an HTML file.

The HTLM files are hosted on a legitimate online library website that was likely compromised by the threat actors sometime between the end of January 2023 and the beginning of February 2023.

“One of the lures appeals to those who want to find out the Poland Ambassador’s schedule for 2023. It overlaps with Ambassador Marek Magierowski’s recent visit to the United Statesp; specifically, his talk on February 2, where he discussed the war in Ukraine at the Catholic University of America Columbus School of Law, also known as the Catholic Law, which is based in Washington, DC.” reads the analysis published by BlackBerry.

The APT29 group also abused multiple legitimate systems, including LegisWrite and eTrustEx, which are used by EU nations for exchanging info and data in a secure way.

LegisWrite is an editing program used by governments within the European Union, this means that threat actors used it in the malicious lure to target state organizations within the EU specifically.

The malicious HTML file employed in the attack is a version of NOBELIUM’s dropper tracked as ROOTSAW (aka EnvyScout). EnvyScout uses the HTML smuggling technique to deliver an IMG or ISO file to the victim’s system.

To maintain persistence, a new registry key is created under “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DsDiBacks”.

The BugSplatRc64.dll file allows cyber spies to collect and exfiltrate information about the infected system.

The nation-state actor abuses the API the note-taking application Notion for C2 communication, a choice that allows avoiding detection.

“NOBELIUM actively collects intelligence information about the countries supporting Ukraine in the Russian-Ukraine war. The overlap between Poland’s Ambassador’s visit to the United States with the lure used in the attacks, provides evidence that the threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection.” concludes the report. “Furthermore, our initial analysis of weaponized LNK files shows that the threat actor behind this campaign used anti-forensic techniques to wipe out personal metadata to remove information connected to its operations systems.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)

CERT of Ukraine says Russia-linked APT backdoored multiple govt sites

The CERT of Ukraine (CERT-UA) revealed that Russia-linked threat actors have compromised multiple government websites this week. 

The Computer Emergency Response Team of Ukraine (CERT-UA) said that Russia-linked threat actors have breached multiple government websites this week. The government experts attribute the attack to UAC-0056 group (DEV-0586, unc2589, Nodaria, or Lorec53).

“the Government Computer Emergency Response Team of Ukraine CERT-UA is taking measures to investigate the circumstances of the incident on February 23, 2023.” reads the alert published by Ukraine’s Computer Emergency Response Team. “As of 11:00 on 02/23/2023, a previously known encrypted web shell was detected on one of the websites, and the fact of its use was confirmed in the period from 22:00 on 02/22/2023 to 05:30 on 02/23/2023, as a result of which, among other things , the file “index.php” was created in the root web directory, which provided modification of the content of the main page of the web resource.” 

The SSSCIP’s National Cybersecurity Coordination Center along with the Cyber ​​Police are working together to lock out the threats and investigate the security breaches.

“Today, on February 23, an attack was detected on a number of websites of Ukrainian central and local authorities, resulting in a modification of the content of some of their webpages.” reads the advisory published by Ukraine’s cybersecurity defense and security agency SSSCIP.

The state-sponsored hackers used a web shell created no later than December 23, 2021, to deploy multiple backdoors. 

The nation-state actor employed the SSH backdoor CredPump (PAM module) to achieve remote SSH access (with a static password value) and logging of logins and passwords when connecting via SSH.

The attackers also used the HoaxPen and HoaxApe backdoors, experts discovered that the malicious codes were in the form of a module for the Apache web server and were installed in February 2022.

The alert states that attackers employed GOST (Go Simple Tunnel) and the Ngrok program in the early stages of the attack.

The alert also includes Indicators of compromise (IoCs) for the attacks.

The UAC-0056 APT group has been active since at least March 2021, it focuses on Ukraine, despite it has been involved in attacks on targets in Kyrgyzstan and Georgia.

In early February, the UAC-0056 group has been observed deploying a new information stealer dubbed Graphiron in attacks against Ukraine.

In early February 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a phishing campaign aimed at state authorities that involves the use of the legitimate remote access software Remcos.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

UK won the Military Cyberwarfare exercise Defence Cyber Marvel 2 (DCM2)

Defence Cyber Marvel 2 (DCM2) is the largest Western Europe-led cyber exercise that took place in Tallinn with 34 teams from 11 countries.

The Defence Cyber Marvel 2 (DCM2) is the largest training exercise organised by the Army Cyber Association to allow personnel from across the Armed Forces to build their skills within the cyber and electromagnetic domain.

This year, 750 cyber specialists have participated in the military cyberwarfare exercise. 34 teams from 11 countries, including India, Italy, Ghana, Japan, US, Ukraine, Kenya, and Oman, have taken part in a live-fire cyber battle that lasted seven days.

“Organised by a team of cyber specialists from the British Army, Defence Cyber Marvel 2 (DCM2) was the culmination of more than 12 months of training for more than 750 cyber specialists, including Defence personnel, government agencies, industry partners, and other nations.” reads the press release published by the UK Ministry of Defence.

The exercise was hosted in Tallinn, Estonia, participant teams were involved in common and complex simulations of attacks against IT and OT networks, and unmanned robotic systems. The exercise also simulated some of the tactics Russia used to disrupt Ukrainian cyberspace amid the beginning of the invasion one year ago.

Many teams took part in the exercise remotely, they connected to a cyber range controlled in Tallinn, Estonia.

“The Army Cyber Association was set up by Royal Signals officers, prior to the formation of 13 Signal Regiment, as a cyber operations professional development network. It is volunteer run and entirely inclusive for any Service person who wants to develop their cyberspace knowledge and skills.” said Colonel Ian Hargreaves Chair of the Army Cyber Association. “Our focus has always been talent identification, recognition and development with a big wraparound of innovation. We must innovate to stay ahead of those that would wish us harm and Defence Cyber Marvel 2 is the next evolution of our pioneering collective education.”

Britain’s 7 Military Intelligence team, who competed remotely from Italy, won the exercise, followed by te Tallinn-based 5 Military Intelligence

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Defence Cyber Marvel 2 (DCM2))

CISA warns of disruptive attacks amid the anniversary of Russia’s invasion of Ukraine

One year after Russia’s invasion of Ukraine, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations to increase vigilance.

Exactly one year, Russia invaded Ukraine, and now one year later the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations and individuals to increase vigilance.

The US agency warns that the United States and European nations may be targeted with disruptive attacks and defacement attacks against websites. The attacks aim at attempting to sow chaos and societal discord on February 24, 2023, the anniversary of Russia’s 2022 invasion of Ukraine.

“CISA urges organizations and individuals to increase their cyber vigilance in response to this potential threat.” reads the alert. “In response to the heightened geopolitical tensions resulting from Russia’s full-scale invasion of Ukraine, CISA maintains public cybersecurity resources, including Shields Up—a one-stop webpage that provides resources to increase organizational vigilance and keep the public informed about current cybersecurity threats.”

CISA recommends:

  • to implement suggestions included in the DDoS Attack Guidance for Organizations and Federal Agencies
  • review the Shields Up webpage, which includes guidance on:
    • Increasing organizational vigilance
    • Implementing cybersecurity best practices
    • Increasing resilience and preparing for rapid response
    • Lowering the threshold for threat and information sharing

The current situation could impact organizations in Ukraine and abroad, they can be targeted with malicious cyber activities such as cyber espionage, sabotage and misinformation campaigns. The US government warns that organizations of every size must be prepared to respond to disruptive cyber incidents.

“CISA urges everyone to protect themselves online and adopt a heightened posture when it comes to cybersecurity. CISA offers the following guidance for individuals, organizations, and leadership to enhance online security.” reads the Shields Up page setup by the U.S. Cybersecurity and Infrastructure Security Agencyp e

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

Many cyber operations conducted by Russia are yet to be publicly disclosed, says Dutch intelligence

Dutch intelligence revealed that many cyber operations attributed to Russia against Ukraine and NATO members have yet to be publicly disclosed.

According to a joint report published by the Dutch General Intelligence and Security Service (AIVD), and the Military Intelligence and Security Service (MIVD), many cyber operations conducted by Russia-linked hackers against Ukraine and NATO members during the past year have yet to be publicly disclosed.

“Before and during the war, Russian intelligence and security services engaged in widespread digital espionage, sabotage and influencing against Ukraine and NATO allies.” reads the joint report. “The pace of Russian cyber operations is fast and many of these attempts have not yet become public knowledge. Ukrainian and Western digital defenses have so far been able to limit the impact of continued Russian attack attempts. Throughout the war, Russia has also found it difficult to synchronize cyber operations with other military operations, such as airstrikes. By far the largest part of Russian cyber operations is aimed at espionage to obtain military, diplomatic and economic information from both Ukraine and NATO allies.”

The state-sponsored hacking operations aimed at gathering intelligence on the adversaries, at conducting sabotage activities and misinformation campaigns.

The Rissia-linked threat actors targeted a broad number of organizations, including military and diplomatic agencies. Russian hackers aimed at gathering information on military support provided to Ukraine by NATO allies. The report states that Russian threat actors also targeted the Dutch armed forces, ministries and embassies, but the cyber espionage campaigns failed.

“The Russian cyber sabotage campaign against Ukraine is the most extensive and intensive in history. Moscow regularly attempts to digitally sabotage Ukrainian vital infrastructure and carries out constant wiper malware attacks.” continues the report. “The sustained and very high pressure that Russia exerts with this requires constant vigilance from Ukrainian and Western defenders. However, large-scale disruption has so far failed to materialize and the impact of cyber sabotage is dwarfed by the impact of physical military operations. The potential of cyber operations cannot be fully exploited by Russia. Russia is likely to struggle to synchronize cyber operations with other military operations, such as airstrikes.”

Ukrainian authorities were supported by Western intelligence services and cybersecurity companies, an aid that significantly increased Ukrainian digital defense.

The report highlights the interest of Russia-linked actors in influencing the political contest of Ukraine and NATO countries through deception, disinformation, and cyber operations.

The Russian intelligence services have succeeded several times in temporarily taking control of Ukrainian media broadcasts and broadcasting Russian propaganda messages. Then the hackers compromised these media. Russian threat actors also targeted critical infrastructure in the county, including the power supply.

“To hide their involvement in covertly spreading disinformation and propaganda through digital channels, Russian intelligence services employ many techniques they also use for cyber operations.” concludes the report. “In the case of the Information Operations Troops (VIO) of the Russian military intelligence service GRU, it is even partly the same units that are responsible for both cyber operations and covert influence.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)

Pro-Russia hacker group Killnet targets NATO websites with DDoS attacks

Pro-Russia hacker group Killnet launched a Distributed Denial of Service (DDoS) attack on NATO servers, including the NATO Special Operations Headquarters (NSHQ) website.

Pro-Russia hacker group Killnet launched a Distributed Denial of Service (DDoS) attack on NATO sites, including the NATO Special Operations Headquarters (NSHQ) website.

The attack was confirmed by NATO, while the hacker group announced the attack on its Telegram Channel with the following message.

“NATO cyber experts are actively addressing an incident affecting some NATO websites. NATO deals with cyber incidents on a regular basis, and takes cyber security very seriously.” reads a statement from NATO.

“We are carrying out strikes on Nato. Details in a closed channel,” reads a message published by the Pro-Russia group on its Telegram Channel.

According to The Telegraph, the website of Nato Special Operations Headquarters remained unreachable for a couple of hours. The attack also impacted the website of the Strategic Airlift Capability, which is a multinational initiative that provides its participating nations assured access to military airlift capability to address the growing needs for both strategic airlifts and tactical airlifts.

In February 2022, the organization was involved in operations to deliver supplies to the Ukrainian army.

In the past, the Strategic Airlift Capability conducted multiple humanitarian missions, it is currently used to transport search and rescue equipment to the Turkey-Syria area hit by the earthquake.

The Telegraph reported that the DDoS attack impacted Nato’s NR network which was communicating with a SAC C-17 aircraft.

“One of the organisation’s C-17 aircraft, which was believed to be flying supplies to the  Incirlik Air Base in southern Turkey, was warned of the disruption in a message from a SAC manager via the ACARS (Aircraft Communications Addressing and Reporting System) network.” reported The Telegraph. “The aircraft was told that  Nato’s NR network – which is believed to be used for transmitting sensitive data – had been hit by the denial of service attack. Although contact with the aircraft was not lost, the hackers’ attack is likely to have hampered the relief efforts.”

Last week, SecurityScorecard’s researchers published a list of proxy IPs used by the pro-Russia group Killnet with the intent to interfere with its operation and block its attacks.

The Killnet group has been active since March 2022, it launched DDoS attacks against governments and critical infrastructure of countries that expressed support to Ukraine, including Italy, Romania, Moldova, the Czech Republic, Lithuania, Norway, and Latvia.

Early this month, the Dutch National Cyber Security Centre (NCSC) reported that the websites of several hospitals in the Netherlands and Europe were hit by DDoS attacks carried out by the group Killnet.

The group of hackers launched the offensive against the hospitals in the European countries due to their support for Ukraine.

Recently experts from Z-CERT, the computer emergency response team for the Dutch healthcare sector blamed the Killnet group for the cyber attacks that hit the University Medical Center Groningen (UMCG) on Saturday. The Pro-Russia group of hackers targeted 31 Dutch hospitals.

The hackers also targeted hospitals in the UK, Germany, Poland, Scandinavia and the United States. Last week, the group announced the attacks on its Telegram channel, calling for action against the US government healthcare.

Last week the pro-Russia group intensified its activity. The group launched a series of DDoS attacks against the websites of German airports, administration bodies, and banks. The attacks are the hacktivists’ response to the German government’s decision to send Leopard 2 tanks to Ukraine.

In November, Killnet claimed responsibility for the DDoS attack that today took down the website of the European Parliament website.

The attack was launched immediately after lawmakers approved a resolution calling Moscow a “state sponsor of terrorism“.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Killnet)

Russian Government evaluates the immunity to hackers acting in the interests of Russia

The Russian Government proposed to give a sort of immunity to the hackers that operate in the interests of Moscow.

Russian media reported that Alexander Khinshtein, the head of the Duma committee on information policy, announced that the Russian government is evaluating to avoid punishing hackers acting in the interests of Moscow.

“The question of their exemption from liability needs to be worked out, said Alexander Khinshtein, head of the Duma committee on information policy.” reported the Govoritmoskva website.

The Russian government recognizes the importance of cybercriminal gangs and hacktivists’ contribution to the defense of its interests. This is an important official announcement, even if the Russian government in the past demonstrated indulgence for cybercriminal gangs that avoided hitting computers in the country. Multiple ransomware gangs developed their malware to avoid infecting systems in the Commonwealth of Independent States (CIS) region (formed following the dissolution of the Soviet Union in 1991) and instructed the network of their affiliates not to target Russian organizations.

The topic is crucial, especially in this historical moment, the ongoing conflict between Russia and Ukraine is characterized by the presence of non-state actors in cyberspace, whose operations are reshaping the threat landscape.

“We are talking about, in general, working out the exemption from liability of those persons who act in the interests of the Russian Federation in the field of computer information both on the territory of our country and abroad,” TASS quotes Khinshtein.

The Russian Parliament announced that this proposal will be discussed more in detail in the next months with the intent to better formulate this initiative.

The Russian law framework currently punishes crooks charged with creating, using, and distributing malware with up to seven years in jail.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russian Government)

DPRK fund malicious cyber activities with ransomware attacks on critical Infrastructure

North Korea-linked APT groups conduct ransomware attacks against healthcare and critical infrastructure facilities to fund its activities.

Ransomware attacks on critical infrastructure conducted by North Korea-linked hacker groups are used by the government of Pyongyang to fund its malicious cyber operations, U.S. and South Korean agencies warn.

US CISA published a Cybersecurity Advisory (CSA) to provide information about the threat actors to network defenders. The joint CSA about ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities is the result of the collaboration between the United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) (hereafter referred to as the “authoring agencies”).

“This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.” reads the joint advisory.

The proceeds from ransom payments are used by the North Korean government to fund malicious activities, including cyber operations against the United States and South Korea.

The list of targets includes Department of Defense Information Networks and Defense Industrial Base member networks.

Some of the ransomware families attributed to North Korea-linked APT groups are Maui, Holy Ghost, and VHD.

The government agencies detailed TTPs associated with North Korean APT groups such as:

  • Acquire Infrastructure [T1583]. Threat actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations.
  • Obfuscate Identity. Threat actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments.
  • Purchase VPNs and VPSs [T1583.003]. threat actors use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to hide the origin of the attacks.
  • Gain Access [TA0001]. Threat actors use various exploits of common vulnerabilities, including CVE 2021-44228, CVE-2021-20038, and CVE-2022-24990. The advisory also states that the attackers employed Trojanized files for “X-Popup,” an open source messenger commonly used by employees of small and medium hospitals in South Korea, in their attacks.
  • Move Laterally and Discovery [TA0007TA0008]. Attackers use staged payloads with customized malware to perform reconnaissance activities, upload and download additional files and executables, and execute shell commands [T1083T1021]. The malware is also used for collecting victim information and sending it to the remote host [TA0010].
  • Employ Various Ransomware Tools [TA0040]. Attackers used privately developed ransomware, such as Maui and H0lyGh0st along with other ransomware families, including BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom [T1486].
  • Demand Ransom in Cryptocurrency. Nation state actors demanded ransom payments in bitcoin [T1486]. They communicate with victims via Proton Mail email accounts.

The agencies recommend organizations to limit access to data by authenticating and encrypting connections, implement the principle of least privilege, turn off weak or unnecessary network device management interfaces, enforce multi-layer network segmentation, protect stored data, require phishing-resistant authentication controls, use monitoring tools, and maintain periodic data backups.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea-linked APT)