Category Archives: Hacktivism

Pro-Ukraine hackers CH01 defaced tens of Russian websites on the invasion anniversary

The group of hacktivists CH01 defaced at least 32 Russian websites to mark a protest over the one-year anniversary of the Russian invasion

A group of hacktivists that goes online with the moniker CH01 defaced at least 32 Russian websites to mark a protest over the one-year anniversary of the Russian invasion.

The news was also shared by the collective Anonymous through its accounts.

The hackers have uploaded a video showing the Kremlin burning on the defaced websites. At this time it is unclear how the hacktivists have breached the websites.

“The oracle says that all evil will loose and all good will live forever. we are CH01 hacker group, on behalf of all free world, will fight against putintrrorist and all dictators. Let the prophecy come true” reads the message published by CH01 on Twitter.

CH01 joined to the Anonymous’s call to army against Russia that invaded Ukraine.

“Hacker group CH01, in solidarity with the entire civilized world, in order to restore justice and the triumph of the forces of light and good, on the anniversary of the terrorist invasion of dictatorial Russia in a strong and independent Ukraine, we declare cyber war to the dictatorship and totalitarianism and idiocy of Putin’s criminal regime.” reads the message published by the group on Twitter.

“Today, at exactly 4:00 AM , for the fact that russia bombed Kyiv, a cyber war has been declared on it! Dozens of russian sites now look like this, we now have all the data from these sites” reads a message published on Twitter.

Anonymous, and other groups of hackers affiliated with the popular collective, will continue to fight against Russia.

Anonymous this week published a message to renew its commitment in protecting Ukraine from the criminal invasion.

On February 23, 2023, Anonymous hacked into several radio stations across Russia, including Yumor FM, Relax FM, Comedy Radio, Humor FM, and Avatoradio. A female voice rendered the fake alerts, it was announcing an air raid and requested the listeners to seek shelter quickly.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CH01)

German airport websites hit by DDos attacks once again

Experts are investigating the failures of several German airports after some media attributed them to a possible hacking campaign.

On Thursday, the websites of several German airports were unreachable, experts launched an investigation speculating a possible cyberattack on a large scale against the critical infrastructure.

Ralph Beisel. chief executive of the ADV airport association, confirmed that the websites were hit by a DDoS attack. She added that other systems at the airports were not impacted.

“Once again, airports fell victim to large-scale DDoS attacks,” Beisel said in a statement. “According to the information we have so far, other systems are not affected,”

The alleged cyberattack took place a day after an IT failure caused cancellations and delays for thousands of passengers of Germany’s national carrier Lufthansa at Frankfurt airport.

The attack blocked the websites of the the following airports:

  • Hannover Airport
  • Dortmund Airport
  • Nuremberg Airport
  • Karlsruhe/Baden-Baden Airport
  • Dusseldorf
  • Erfurt-Weimar

Administrators at the airport confirmed that the problems were likely caused by malicious traffic.

“”We are still troubleshooting,” a spokeswoman for Dortmund Airport said, adding it was unlikely that the failure was due to a regular overload.” reported the website DW. “There is reason to suspect it could be a hacker attack,” she added.

In early January, the Pro-Russia group Killnet launched DDoS attacks against the websites of German airports, administration bodies, and banks.

The attacks are the hacktivists’ response to the German government’s decision to send Leopard 2 tanks to Ukraine.

Chancellor Olaf Scholz announced the decision to send 14 tanks – and allow other countries to send theirs too (which was restricted until now under export regulations) – at a cabinet meeting on Wednesday.

On February 16, the group called to action on its Telegram channel against the German airports.

In October the pro-Russia hacktivist group ‘KillNetclaimed responsibility for massive distributed denial-of-service (DDoS) attacks against the websites of several major airports in the US.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, German airports)

Pro-Russia hacker group Killnet targets NATO websites with DDoS attacks

Pro-Russia hacker group Killnet launched a Distributed Denial of Service (DDoS) attack on NATO servers, including the NATO Special Operations Headquarters (NSHQ) website.

Pro-Russia hacker group Killnet launched a Distributed Denial of Service (DDoS) attack on NATO sites, including the NATO Special Operations Headquarters (NSHQ) website.

The attack was confirmed by NATO, while the hacker group announced the attack on its Telegram Channel with the following message.

“NATO cyber experts are actively addressing an incident affecting some NATO websites. NATO deals with cyber incidents on a regular basis, and takes cyber security very seriously.” reads a statement from NATO.

“We are carrying out strikes on Nato. Details in a closed channel,” reads a message published by the Pro-Russia group on its Telegram Channel.

According to The Telegraph, the website of Nato Special Operations Headquarters remained unreachable for a couple of hours. The attack also impacted the website of the Strategic Airlift Capability, which is a multinational initiative that provides its participating nations assured access to military airlift capability to address the growing needs for both strategic airlifts and tactical airlifts.

In February 2022, the organization was involved in operations to deliver supplies to the Ukrainian army.

In the past, the Strategic Airlift Capability conducted multiple humanitarian missions, it is currently used to transport search and rescue equipment to the Turkey-Syria area hit by the earthquake.

The Telegraph reported that the DDoS attack impacted Nato’s NR network which was communicating with a SAC C-17 aircraft.

“One of the organisation’s C-17 aircraft, which was believed to be flying supplies to the  Incirlik Air Base in southern Turkey, was warned of the disruption in a message from a SAC manager via the ACARS (Aircraft Communications Addressing and Reporting System) network.” reported The Telegraph. “The aircraft was told that  Nato’s NR network – which is believed to be used for transmitting sensitive data – had been hit by the denial of service attack. Although contact with the aircraft was not lost, the hackers’ attack is likely to have hampered the relief efforts.”

Last week, SecurityScorecard’s researchers published a list of proxy IPs used by the pro-Russia group Killnet with the intent to interfere with its operation and block its attacks.

The Killnet group has been active since March 2022, it launched DDoS attacks against governments and critical infrastructure of countries that expressed support to Ukraine, including Italy, Romania, Moldova, the Czech Republic, Lithuania, Norway, and Latvia.

Early this month, the Dutch National Cyber Security Centre (NCSC) reported that the websites of several hospitals in the Netherlands and Europe were hit by DDoS attacks carried out by the group Killnet.

The group of hackers launched the offensive against the hospitals in the European countries due to their support for Ukraine.

Recently experts from Z-CERT, the computer emergency response team for the Dutch healthcare sector blamed the Killnet group for the cyber attacks that hit the University Medical Center Groningen (UMCG) on Saturday. The Pro-Russia group of hackers targeted 31 Dutch hospitals.

The hackers also targeted hospitals in the UK, Germany, Poland, Scandinavia and the United States. Last week, the group announced the attacks on its Telegram channel, calling for action against the US government healthcare.

Last week the pro-Russia group intensified its activity. The group launched a series of DDoS attacks against the websites of German airports, administration bodies, and banks. The attacks are the hacktivists’ response to the German government’s decision to send Leopard 2 tanks to Ukraine.

In November, Killnet claimed responsibility for the DDoS attack that today took down the website of the European Parliament website.

The attack was launched immediately after lawmakers approved a resolution calling Moscow a “state sponsor of terrorism“.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Killnet)

Hacktivists hacked Iranian State TV during President’s speech on Revolution Day

The Ali’s Justice (Edalat-e Ali) hacker group broke into the State TV broadcast during the President’s speech on Revolution Day.

A collective of hackers that calls itself Ali’s Justice (Edalat-e Ali) disrupted the transmission of an Iranian State TV and radio station and aired the slogan “Death to Khamenei” asking Iranians to withdraw their money from government banks. The attack took place during the speech of Iranian president Ebrahim Raisi at Azadi Square in Tehran as part of the Revolution Day commemoration, on February 11th, 2023.

The hackers called to action the citizens to protest against the government and invited them to participate in the public demonstration that will be held on February 16th, 2023.

“[Raisi] His live televised speech was interrupted on the internet for about a minute, with a logo appearing on the screen of a group of anti-Iranian government hackers that goes by the name of “Edalate Ali (Justice of Ali). A voice shouted “Death to the Islamic Republic.” reported the Reuters.

Edalat-e Ali is a group of hacktivists that conducted multiple attacks against the government of Teheran.

The protests began after the death of Mahsa Amini from Saqqez in Kurdistan province after her arrest by Iran’s morality police for allegedly wearing her hijab too loosely. The authorities claimed Amini died of natural causes after suffering heart failure while it was at the police station, but citizens don’t believe this is the truth and moved the protests to the streets (September 2022 Iranian protests).

In September 2022, Anonymous launched OpIran against Iran due to the ongoing crackdown on dissent after Mahsa Amini’s death.

Ms Amini was arrested for not wearing her hijab properly.(Reuters: IranWire) Source ABC Australia

The HackRead website, which reported the news along with other media, shared the video message that was transmitted by the hackers.

The Edalat-e Ali group claimed the responsibility for the attack on its Telegram channel.

“We the Adalat Ali group hacked the Islamic Republic of Iran’s TV and Radio transmission. First of all, the Adalat Ali group offers its condolences to the entire freedom-loving nation on the decade of dawn and the impure arrival of Khomeini the executioner to Iran.”Edalat-e Ali

Rights group HRANA said that as of Friday, 528 protesters had been killed, including 71 minors. The government has already arrested around 20,000 protesters.

In October 2022, the Edalat-e Ali group interrupted the Iran State-Run TV’s live transmission in another attack.

In September 2022, global internet monitor NetBlocks reported a near-total disruption to internet service in parts of Kurdistan province in western Iran from the evening of Monday 19 September 2022.

“The regional telecommunications blackout in and around Sanandaj follows a partial disruption to internet service in Tehran and other parts of the country on Friday when protests first broke out. Instagram and WhatsApp, two of the last remaining international platforms in Iran, have subsequently been restricted nationally as of Wednesday 21 September, followed by a nation-scale shutdown of mobile networks.” reported NetBlocks. Daily curfew-style mobile internet disruptions have continued until 4 October 2022. The incidents come amid widening protests against the government after the death of Mahsa Amini.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iranian State TV)

The Israel Institute of Technology Technion suffered a ransomware attack

The Technion – Israel Institute of Technology was breached on Sunday by a new anti-Israel threat actor calling itself DarkBit.

Technion – Israel Institute of Technology is Israel’s top technology research university and a leading center for cyber security education. A new anti-Israel threat actor calling itself DarkBit is claiming responsibility for the ransomware attack that breached the Institute on Sunday, February 12, 2023.

The DarkBit group is demanding 80 Bitcoin for decryption, but experts pointed out that the hacker crew appears to be politically motivated and it’s unlikely they would give out a decryption key even if demands are met.

“We hacked #Technion, the technological core of an apartheid regime. They should pay for their lies and crimes, their names and shames. They should pay for occupation, war crimes against humanity, killing the people (not only the Palestinians’ bodies, but also Israelis’ souls) and destroying the future and all dreams we had. They should pay for firing high-skilled experts. Say goodbye to your security if you support or have any kind of collaboration or partnership with Israel, or you pay its expensive price.” reads the message published by the group in its Telegram Channel.

The ransom note is written using an English translator, VX-underground researchers noticed.

Darkbit is threatening to raise the amount by 30% if Technion refuses to pay the demanded sum within 48 hours.

Army Radio said that all exams would be postponed pending resolution of the security breach, The Jerusalem Post reported.

Israeli authorities launched an investigation into the incident, the Israel National Cyber Directorate (INCD) said it is “in touch with the Technion to get a full picture of the situation, to assist with the incident and to study its consequences.”

“The field of higher education has been a central target for cyber attackers, with the INCD identifying 53 [serious] incidents of such attacks in 2022, most of which were prevented,” said the authority.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Israel Institute of Technology Technion)

Experts published a list of proxy IPs used by the pro-Russia group Killnet

SecurityScorecard’s researchers released a list of proxy IPs used by the pro-Russia group Killnet to neutralize its attacks.

SecurityScorecard’s researchers published a list of proxy IPs used by the pro-Russia group Killnet with the intent to interfere with its operation and block its attacks.

“To help organizations better protect themselves, SecurityScorecard has published a list of proxy IPs to help block the Killnet DDoS bot.” reads the post published by the security firm SecurityScorecard.

The Killnet group has been active since March 2022, it launched DDoS attacks against governments and critical infrastructure of countries that expressed support to Ukraine, including Italy, Romania, Moldova, the Czech Republic, Lithuania, Norway, and Latvia.

Early this month, the Dutch National Cyber Security Centre (NCSC) reported that the websites of several hospitals in the Netherlands and Europe were hit by DDoS attacks carried out by the group Killnet.

The group of hackers launched the offensive against the hospitals in the European countries due to their support for Ukraine.

“Hospitals in Europe, including in the Netherlands, have in all likelihood been targeted by the pro-Russian hacker group Killnet,” the NCSC said.

Early this week, experts from Z-CERT, the computer emergency response team for the Dutch healthcare sector blamed the Killnet group for the cyber attacks that hit the University Medical Center Groningen (UMCG) on Saturday. The Pro-Russia group of hackers targeted 31 Dutch hospitals.

The hackers also targeted hospitals in the UK, Germany, Poland, Scandinavia and the United States. Last week, the group announced the attacks on its Telegram channel, calling for action against the US government healthcare.

Last week the pro-Russia group intensified its activity. The group launched a series of DDoS attacks against the websites of German airports, administration bodies, and banks. The attacks are the hacktivists’ response to the German government’s decision to send Leopard 2 tanks to Ukraine.

In November, Killnet claimed responsibility for the DDoS attack that today took down the website of the European Parliament website.

The attack was launched immediately after lawmakers approved a resolution calling Moscow a “state sponsor of terrorism“.

The list of proxy IPs shared by the experts also includes addresses used by other gangs.

The list was published on GitHub and contains around 17,746 IP addresses. The knowledge of these IP addresses can allow organizations to blacklist them and prevent DDoS attacks originating from them.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, hacktivism)

Anonymous leaked 128GB of data stolen from Russian ISP Convex revealing FSB’s warrantless surveillance

The popular collective Anonymous has leaked 128 GB of data allegedly stolen from the Russian Internet Service Provider Convex.

The collective Anonymous released last week 128 gigabytes of documents that were allegedly stolen from the Russian Internet Service Provider Convex. The huge trove of data was leased by an affiliate of Anonymous’s affiliate group called Caxxii.

The stolen documents contain evidence of a dragnet surveillance activity conducted by the intelligence service FSB.

The Russian government illegally monitors citizens and private organizations across Russia.

According to collecting, Convex company launched a project code-named ‘Green Atom’ that aims to spy on Russian citizens by using surveillance equipment. The warrantless surveillance of Russian citizens violates the country’s laws and their rights.

Such surveillance activities are classified as unauthorized wiretapping, espionage, and warrantless surveillance of civilians, which are against the country’s laws.

“‘Green Atom’ (TS ORM fsb) refers to the installation and maintenance of wide-ranging surveillance equipment that is used to monitor the online activity of all traffic in and out of Convex.” reads a statement sent by Caxxii to the Kyiv Post.” “This can be classified as espionage, unauthorized wiretapping, and surveillance of civilians without a warrant, which circumvents the laws of the Russian Federation and all public statements of the Russian authorities,”

“They are actively transmitting data to Moscow. It’s not just preemptive tapping,” continues the group.

According to the stolen data, Convex employees were conducting the activity in coordination with the Federal Security Service.

“Documents confirming the existence of this project, as well as the correspondence of Convex employees with the FSB, are now available not only to us, but also to you.” continues the group.

Exposed data put Russian organizations, whose data are included in the archive, at risk of hacking.

Stolen data were leaked through the leak site DDoSecrets.

“According to the hackers, the Green Atom data confirms the extent to which these legal structures are abused. They say the internet provider captured and mirrored virtually all data from every switch in the largest regions of Russia, which is then passed on to Moscow for use by the security services” states DDoSecrets.

Russia is known to conduct domestic surveillance using a surveillance system called SORM  (Russian: Система оперативно-разыскных мероприятий, lit. ‘System for Operative Investigative Activities’).

The Russian Government obliges national ISPs to purchase and install the probes used by SORM system that allows the Federal Security Service (FSB) to monitor Internet traffic including online communications.

SORM is a mass surveillance system that allows the Government of Moscow to track the online activities of single individuals thanks to the support of the Russian ISPs.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Anonymous)

Pro-Russia Killnet group hit Dutch and European hospitals

The Dutch National Cyber Security Centre (NCSC) confirmed that Pro-Russia group Killnet hit websites of national and European hospitals.

The Dutch National Cyber Security Centre (NCSC) reported that the websites of several hospital in the Netherlands and Europe were hit by DDoS attacks carried out by pro-Russia hacking group Killnet.

The group of hackers launched the offensive against the hospitals in the European countries due to their support for Ukraine.

“Hospitals in Europe, including in the Netherlands, have in all likelihood been targeted by the pro-Russian hacker group Killnet,” the NCSC said.

Early this week, experts from Z-CERT, the computer emergency response team for the Dutch healthcare sector blamed the Killnet group for the cyber attacks that hit the University Medical Center Groningen (UMCG) on Saturday.

“The UMCG is facing a DDoS attack, in which a system is flooded with a vast amount of visitors at the same time. The impact isn’t terrible at this stage, said the spokesperson. A spokeswoman for the UMCG also said that patient care could continue as usual.” reported the NLTimes. “Only the UMCG website is down. According to the hospital, the website with the medical records of UMCG patients has not been compromised. Patients can still view their medical history, operations, medicines, and appointments.”

The Pro-Russia group of hackers targeted 31 Dutch hospitals.

“Currently the DDoS attacks are successfully mitigated and the impact of the attacks is limited,” the NCSC added.

The hackers also targeted hospitals in the UK, Germany, Poland, Scandinavia and the United States. Last week, the group announced the attacks on its Telegram channel, calling for action against the US government healthcare.

Healthcare organizations are critical infrastructure and cyber attacks represent a serious threat to them. Even if DDoS attacks are considered low-level offensives, we cannot exclude that pro-Russia groups in the future could launch more sophisticated attacks that can cause serious damage.

Last week the pro-Russia group intensified its activity. The group launched a series of DDoS attacks against the websites of German airports, administration bodies, and banks. The attacks are the hacktivists’ response to the German government’s decision to send Leopard 2 tanks to Ukraine.

In November, Killnet claimed responsibility for the DDoS attack that today took down the website of the European Parliament website.

The attack was launched immediately after lawmakers approved a resolution calling Moscow a “state sponsor of terrorism“.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS)

IT Army of Ukraine gained access to a 1.5GB archive from Gazprom

IT Army of Ukraine claims to have breached the infrastructure of the Russian energy giant Gazprom and had access to a 1.5 GB archive.

The collective IT Army of Ukraine announced it has gained access to a 1.5 GB archive belonging to the Russian energy giant Gazprom.

The group of hacktivists announced the hack on their Telegram channel claiming that the archive contains more than 6,000 files of the companies of the Gazprom group.

The archive contains information related to financial and economic activities, reports on testing and drilling, along with implementation and adjustment of automated systems at the Koviktinsky well (Irkutsk region).

“The IT Army of Ukraine gained access to information on the activities of the largest filler of the state budget, and accordingly the main sponsor of terrorism and the invasion of Ukraine — Gazprom.” reads the announcement published on the Telegram channel. “The archive with a capacity of 1.5 GB contains more than 6,000 files of the “Gazprom” group of companies regarding financial and economic activities, namely reports on testing and drilling, implementation and adjustment of automated systems at the Koviktinsky well (Irkutsk region), which is considered one of the largest gas fields Russian federation.”

The IT Army of Ukraine also published a statement of confidentiality included in Gazprom’s agreement.

In April 2022, cybersecurity expert Jeff Carr told CyberNews that ​​cyber operators at the Main Directorate of Intelligence at the Ministry of Defense of Ukraine (GURMO) have been conducting computer network operations (CNO) against Gazprom.

“As a result of the breach, they were able to engineer a hack of the pipeline’s pressurization controls that would cause a pipeline to rupture, resulting in a fire.” reported CyberNews.

“It’s unlikely that the company [Gazprom] will acknowledge either the breach of their documents or the successful attacks against its SCADA [Supervisory Control and Data Acquisition] systems,” Carr said. He releases details on the Computer Network Exploitation attack along with samples of documents taken by GURMO’s cyber team.

According to Carr, GURMO was able to exfiltrate almost 1.5 TB of sensitive data from the company.

“The data includes administrative files for Gazprom management, communication requirements for the plants, maps, a massive 3,600 page .pdf on all of the requirements for construction of a new pipeline facility, a work order for an overhaul of the relay protection and automation devices, information on the assignment of the primary communications network of the pipeline as well as the digital radio-relay communication line (CRRL), and much, much more,” Carr added. “A person familiar with pipeline security told me that the typical focus is on the compressor stations where the attacker would change the set points for high and low pressure, and modify the flow rate measuring units,”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Gazprom)

Pro-Russia group Killnet targets US healthcare with DDoS attacks

The Pro-Russia group Killnet is launching a series of DDoS attacks against the websites of US healthcare organizations and hospitals.

The Pro-Russia group Killnet launched a series of DDoS attacks against US healthcare organizations and hospitals. The group announced the attacks on its Telegram channel, calling for action against the US government healthcare.

The list of targets includes:

At the time of this writing, many of the above websites are not reachable.

Healthcare organizations are critical infrastructure and cyber attacks represent a serious threat to them. Even if DDoS attacks are considered low-level offensives, we cannot exclude that pro-Russia groups in the future could launch more sophisticated attacks that can cause serious damage.

We have also to consider that the group could extend its current offensive to healthcare of western countries that are supporting Ukraine.

In the last week, the pro-Russia group intensified its activity. Recently the group launched a series of DDoS attacks against the websites of German airports, administration bodies, and banks. The attacks are the hacktivists’ response to the German government’s decision to send Leopard 2 tanks to Ukraine.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Killnet)