CySecurity News - Latest Information Security and Hacking Incidents: NATO

Cyber Attacks Defense Hacker attack Inc ransomware IT Systems IT systems breach Military Data NATO Ransomwares

Hungarian Defence Agency Hacked: Foreign Hackers Breach IT Systems

Foreign hackers recently infiltrated the IT systems of Hungary’s Defence Procurement Agency, a government body responsible for managing the country’s military acquisitions. According to Gergely Gulyas, the chief of staff to Hungarian Prime Minister Viktor Orban, no sensitive military data related to Hungary’s national security or its military structure was compromised during the breach. Speaking at a press briefing, Gulyas confirmed that while some plans and procurement data may have been accessed, nothing that could significantly harm Hungary’s security was made public. The attackers, described as a “hostile foreign, non-state hacker group,” have not been officially identified by name.

However, Hungarian news outlet Magyar Hang reported that a group known as INC Ransomware claimed responsibility for the breach. According to the outlet, the group accessed, encrypted, and reportedly published some files online, along with screenshots to demonstrate their access. The Hungarian government has refrained from confirming these details, citing an ongoing investigation to assess the breach’s scope and potential impact fully. Hungary, a NATO member state sharing a border with Ukraine, has been increasing its military investments since 2017 under a modernization and rearmament initiative.

This program has seen the purchase of tanks, helicopters, air defense systems, and the establishment of a domestic military manufacturing industry. Among the notable projects is the production of Lynx infantry fighting vehicles by Germany’s Rheinmetall in Zalaegerszeg, a region in western Hungary. The ongoing conflict in Ukraine, which began with Russia’s 2022 invasion, has further driven Hungary to increase its defense spending. The government recently announced plans to allocate at least 2% of its GDP to military expenditures in 2024. Gulyas assured reporters that Hungary’s most critical military data remains secure.

The Defence Procurement Agency itself does not handle sensitive information related to military operations or structural details, limiting the potential impact of the breach. The investigation aims to clarify whether the compromised files include any material that could pose broader risks to the nation’s defense strategy. The breach raises concerns about the cybersecurity measures protecting Hungary’s defense systems, particularly given the escalating reliance on advanced technology in modern military infrastructure. With ransomware attacks becoming increasingly sophisticated, governments and agencies globally are facing heightened pressure to bolster their cybersecurity defenses.

Hungary’s response to this incident will likely involve a combination of intensified cybersecurity protocols and ongoing collaboration with NATO allies to mitigate similar threats in the future. As the investigation continues, the government is expected to release further updates about the breach’s scope and any additional preventive measures being implemented.

NoName Ransomware Group Allegedly Targets Denmark and Finland Over NATO Support



 

Ransomware

cyber attack Cyber Attacks Digital Security Finland NATO Ransomware

NoName Ransomware Group Allegedly Targets Denmark and Finland Over NATO Support

The ransomware group NoName has reportedly launched cyberattacks against key institutions in Denmark and Finland, citing their support for NATO as the provocation. The alleged attacks targeted Denmark’s digital identification system MitID, the Finland Chamber of Commerce, and Finland’s largest financial services provider, OP Financial Group.

On a dark web forum, NoName announced these attacks, positioning them as a reaction to Denmark and Finland's recent military and infrastructural actions favouring NATO. The group specifically called out Denmark for training Ukrainian specialists in F-16 fighter jet maintenance:

"Denmark has trained the first 50 Ukrainian specialists in servicing F-16 fighter jets. Most of the specialists have already returned to Ukraine to prepare for the reception of F-16s at local air bases. The training of the first group of Ukrainian pilots continues in Denmark.”

They also criticised Finland for infrastructure upgrades intended to support NATO troops:

“Finland has begun repairing roads and bridges in Lapland to prepare for the deployment of NATO troops on its territory. ERR.EE reports on its change of stance on NATO forces and planned infrastructure work.”

NoName concluded their message with a warning, suggesting that Denmark and Finland's governments had not learned from past mistakes and threatened further actions.

Potential Impact on Targeted Entities

MitID: Denmark's MitID is a crucial component of the country's digital infrastructure, enabling secure access to various public and private services. An attack on this system could disrupt numerous services and damage public trust in digital security.

Finland Chamber of Commerce: The Chamber plays a vital role in supporting Finnish businesses, promoting economic growth, and facilitating international trade. A cyberattack could destabilise economic activities and harm business confidence.

OP Financial Group: As the largest financial services group in Finland, OP Financial Group provides a range of services from banking to insurance. A successful cyberattack could affect millions of customers, disrupt financial transactions, and cause significant economic damage.

Despite the claims, the official websites of MitID, the Finland Chamber of Commerce, and OP Financial Group showed no immediate signs of being compromised. The Cyber Express Team has reached out to these institutions for confirmation but has not received any official responses as of the time of writing, leaving the allegations unconfirmed.

The timing of these alleged cyberattacks aligns with recent military and infrastructural developments in Denmark and Finland. Denmark's initiative to train Ukrainian specialists in F-16 maintenance is a significant support measure for Ukraine amidst its ongoing conflict with Russia. Similarly, Finland's infrastructure enhancements in Lapland for NATO troops reflect its strategic alignment with NATO standards following its membership.

The NoName ransomware group's alleged cyberattacks on Danish and Finnish institutions highlight the increasing use of cyber warfare for political and military leverage. These attacks aim to disrupt critical infrastructure and send a strong message of deterrence and retaliation. The situation remains under close scrutiny, with further updates expected as more information or official responses become available.

Polish State Media Targeted in Alleged Russian-Backed Cyberattack



 

Russia cyber threats

Cyber Attacks EU Media Media Industry NATO Poland Poland CyberSecurity Russia cyber threats

Polish State Media Targeted in Alleged Russian-Backed Cyberattack

In a concerning development on May 31, the Polish Press Agency (PAP), a state-run media outlet, was targeted in a cyberattack that authorities have attributed to Russian-backed operatives. This incident adds to a growing list of cyber aggression linked to Russian intelligence services, which have previously been accused of targeting Ukraine and various Western nations.

The European Union (EU) and NATO recently condemned Russia's "malicious cyber campaign" against Germany and Czechia earlier in May, highlighting the persistent threat posed by such activities. On the morning of the attack, PAP's website displayed false messages claiming that Polish Prime Minister Donald Tusk had ordered a "partial mobilization" to begin on July 1. The swift identification of this disinformation was crucial. Deputy Prime Minister Krzysztof Gawkowski promptly declared the message as "false" and confirmed that an investigation was underway.

He noted, "Everything points to a cyberattack and planned disinformation!" This immediate response was vital in preventing the spread of the false information. Jacek Dobrzynski, spokesperson for the Polish security service, also indicated that the attack was a "probable Russian cyberattack." Gawkowski elaborated on the intent behind the cyber operation, suggesting that it aimed to spread "disinformation before the upcoming EU parliamentary elections" and to "paralyze society."

The false message was detected within two minutes, and Gawkowski commended the media for accurately labeling it as disinformation, thus preventing further dissemination. Gawkowski's remarks reflect a broader sentiment of heightened vigilance in Poland and across the EU regarding cyber threats. He emphasized that Poland is in a "cold war" with Russia, a stance that underscores the pervasive impact of Russian cyber activities on EU countries.

This sentiment has been echoed by other European leaders who have called for stronger cyber defenses and increased international cooperation to counter such threats. The incident underscores the ongoing cyber conflict between Russia and Western nations, highlighting the need for robust cybersecurity measures. The EU and NATO's condemnation of Russia's cyber activities against Germany and Czechia earlier in May further illustrates the widespread nature of these threats. Poland's response to the cyberattack on PAP demonstrates the importance of rapid identification and response to disinformation campaigns.

Gawkowski assured that Prime Minister Tusk was informed of the incident immediately, showcasing the high level of alertness among Polish authorities. As cyber threats continue to evolve, the international community must remain vigilant and proactive in defending against such attacks. This incident serves as a reminder of the critical importance of cybersecurity in safeguarding national security and public trust.

Sweden Faces Influx of DDoS Attacks Following NATO Membership



 

Sweden

Cyber Security Cyberattacks DDOS Attacks Hackers NATO Safety Sweden

Sweden Faces Influx of DDoS Attacks Following NATO Membership

A significant uptick in distributed denial of service (DDoS) attacks has plagued Sweden as the nation navigates its path towards joining NATO, reports network performance management provider Netscout.

The onslaught commenced notably in May 2023, following a colossal 500 Gbps attack targeting Swedish government infrastructure. Subsequent to this initial strike, the frequency and intensity of DDoS assaults against Swedish entities have steadily escalated, reaching a peak in late 2023 with attacks soaring to 730 Gbps.

However, the year 2024 witnessed a further exacerbation of the situation, particularly intensifying from February onwards. On February 14, Sweden’s Foreign Minister hinted at Hungary's support for their NATO bid, serving as a catalyst for a significant event.

Netscout documented an astounding 1524 simultaneous DDoS attacks targeting Swedish organizations the subsequent day. This surge indicated a marked escalation in tensions and retaliatory actions from various politically motivated hacker groups, as underscored in Netscout's public statement.

The climax of the attacks occurred on March 4, 2024, when Netscout observed an unprecedented 2275 attacks in a single day, marking a staggering 183% increase compared to the same date in the previous year. Remarkably, this surge transpired merely three days before Sweden's formal admission into NATO.

Netscout's analysis has identified several hacker groups involved in these assaults, including NoName057, Anonymous Sudan, Russian Cyber Army Team, and Killnet, all of which are aligned with Russian interests.

Navigating the Delicate Balance: Transparency and Information Security in NATO



 

Steadfast Defender

Cyber Security Defense NATO Operational Security Steadfast Defender

Navigating the Delicate Balance: Transparency and Information Security in NATO

In the complex world of international relations and military alliances, NATO (North Atlantic Treaty Organization) is a critical pillar of collective defense. As NATO conducts its largest military exercise since 1988, the Steadfast Defender Exercise, it grapples with a fundamental challenge: maintaining transparency while safeguarding critical information.

The Tightrope Walk

At first glance, transparency seems like an unequivocal virtue. It fosters trust among member nations, reassures the public, and demonstrates NATO’s commitment to openness. However, when dealing with military operations, the equation becomes more intricate. Operational security (OPSEC) demands that certain details remain confidential to protect troops, strategies, and capabilities.

Brig. Gen. Gunnar Bruegner, assistant chief of staff at NATO’s Supreme Headquarters Allied Powers Europe, aptly captures this dilemma. He acknowledges the need for transparency but recognizes that it cannot come at the cost of compromising operational effectiveness. Striking the right balance is akin to walking a tightrope: one misstep and the consequences could be dire.

The Steadfast Defender Exercise

Steadfast Defender involves a series of military maneuvers across NATO member countries, with Poland hosting a crucial leg. The exercise aims to test NATO’s readiness and interoperability. While NATO wants to showcase its capabilities, it must also be cautious not to reveal too much. The elephant in the room is Russia—a nation that views NATO exercises as a direct threat.

The German Leak Incident

Recently, a leak in Germany added fuel to the fire. Discussions about potentially supplying Ukraine with Taurus missiles were intercepted by Russian intelligence. The audio from a web conference provided insights into missile supply plans and operational scenarios. Suddenly, the fine line between accountability and information security became starkly visible.

Russia’s Perception

Russia closely monitors NATO’s activities. For them, Steadfast Defender isn’t just a routine exercise; it’s a signal. As NATO briefs the media and the public, it must tread carefully. The challenge lies in providing a bigger picture without inadvertently revealing critical details. The delicate dance continues.

Lessons Learned from Ukraine

NATO’s caution stems from the lessons learned during the war in Ukraine. The conflict highlighted the importance of protecting sensitive information. Russia’s hybrid warfare tactics—combining conventional military actions with cyberattacks and disinformation—underscore the need for robust OPSEC.

The Way Forward

So, how does NATO navigate this minefield? Here are some considerations

Selective Transparency: NATO can be transparent about overarching goals, the importance of collective defense, and the commitment to deterrence. However, specific operational details should remain classified.

Secure Communication Channels: Ensuring secure communication channels during exercises and discussions is crucial. Encryption, secure video conferencing, and strict protocols can minimize leaks.

Educating Personnel: Every NATO member, from high-ranking officials to soldiers on the ground, must understand the delicate balance. Training programs should emphasize the importance of OPSEC.

Public Perception Management: NATO needs to manage public perception effectively. Transparency doesn’t mean revealing every tactical move; it means being accountable and explaining the broader context.

Navigating Ethical Challenges in AI-Powered Wargames



 

UK Government

AI regulation AI technology AI tools Artificial Intelligence Cyber Security ethical AI NATO UK Government

Navigating Ethical Challenges in AI-Powered Wargames

The intersection of wargames and artificial intelligence (AI) has become a key subject in the constantly changing field of combat and technology. Experts are advocating for ethical monitoring to reduce potential hazards as nations use AI to improve military capabilities.

The NATO Wargaming Handbook, released in September 2023, stands as a testament to the growing importance of understanding the implications of AI in military simulations. The handbook delves into the intricacies of utilizing AI technologies in wargames, emphasizing the need for responsible and ethical practices. It acknowledges that while AI can significantly enhance decision-making processes, it also poses unique challenges that demand careful consideration.

The integration of AI in wargames is not without its pitfalls. The prospect of autonomous decision-making by AI systems raises ethical dilemmas and concerns about unintended consequences. The AI Safety Summit, as highlighted in the UK government's publication, underscores the necessity of proactive measures to address potential risks associated with AI in military applications. The summit serves as a platform for stakeholders to discuss strategies and guidelines to ensure the responsible use of AI in wargaming scenarios.

The ethical dimensions of AI in wargames are further explored in a comprehensive report by the Centre for Ethical Technology and Artificial Intelligence (CETAI). The report emphasizes the importance of aligning AI applications with human values, emphasizing transparency, accountability, and adherence to international laws and norms. As technology advances, maintaining ethical standards becomes paramount to prevent unintended consequences that may arise from the integration of AI into military simulations.

One of the critical takeaways from the discussions surrounding AI in wargames is the need for international collaboration. The Bulletin of the Atomic Scientists, in a thought-provoking article, emphasizes the urgency of establishing global ethical standards for AI in military contexts. The article highlights that without a shared framework, the risks associated with AI in wargaming could escalate, potentially leading to unforeseen geopolitical consequences.

The area where AI and wargames collide is complicated and requires cautious exploration. Ethical control becomes crucial when countries use AI to improve their military prowess. The significance of responsible procedures in leveraging AI in military simulations is emphasized by the findings from the CETAI report, the AI Safety Summit, and the NATO Wargaming Handbook. Experts have called for international cooperation to ensure that the use of AI in wargames is consistent with moral standards and the interests of international security.

'Gay Furry Hackers' Claim to Have Stolen Nearly 3000 NATO Files



 

Threat Landscape

Data Breach Data Leak Hactivist Group NATO NATO Breach Threat Landscape

'Gay Furry Hackers' Claim to Have Stolen Nearly 3000 NATO Files

NATO is "actively addressing" various IT security breaches after a hacktivist group claimed it accessed some of the military alliance's websites once more, this time acquiring over 3,000 files and 9GB of data.

When questioned about the suspected intrusion, a NATO official declined to answer specific questions and stated that: "NATO is facing persistent cyber threats and takes cyber security seriously. NATO cyber experts are actively addressing incidents affecting some unclassified NATO websites. Additional cyber security measures have been put in place. There has been no impact on NATO missions, operations and military deployments."

On Sunday, the SiegedSec team claimed to have broken into six NATO web portals: the alliance's Joint Advanced Distributed Learning e-learning website; the NATO Lessons Learned Portal, from which the gang claimed to have stolen 331 documents; the Logistics Network Portal (588 documents and other files); the Communities of Interest Cooperation Portal (207 documents); and the NATO Standardisation Office (2,116 documents).

The hacktivists, who call themselves "gay furry hackers," mainly target government organisations whose policies they disagree with and have a tendency for political PR stunts, also shared a link to the allegedly stolen files on their Telegram channel.

"The astonishing siegedsec hackers have struck NATO once more!!1!!!," the crew wrote, bragging: "NATO: 0. Siegedsec: 2."

The hacking group is referring to its previous NATO infiltration in July, when it claimed to have stolen material from 31 countries and exposed 845MB of data from the alliance's Communities of Interest (COI) Cooperation Portal.

Despite the fact that it doesn't include any classified information, this website is used by NATO organisations and member nations. And yes, SiegedSec claims to have broken into one of the portals again towards the end of September.

Threat intelligence firm CloudSEK analysed the exposed material from the previous hack and discovered at least 20 unclassified documents and 8,000 personnel records with names, firms and units, working groups, job titles, business email addresses, home addresses, and images.

To put it another way: essentially everything a spy, would-be identity thief, doxxer, social-engineering campaign coordinator, or plain old troll would want for potential fraud, phishing, espionage, or other types of general havoc.

The Ukraine Invasion Blew up Russian Cybercrime Alliances



 

Russia

ALPHV Cyber Crime Cyberattack Cybersecurity Google LockBit Microsoft NATO Russia

The Ukraine Invasion Blew up Russian Cybercrime Alliances

Over the years, Russia has built up one of the world’s most formidable cybercriminal ecosystems. Russian hacker groups are linked to disruptive cyberattacks including one of the United States’ most critical oil pipelines and the world’s largest meat producers.

A recently released study suggests that the conflict between Russia and the former Soviet Union disrupted the criminal ecosystem in Russia and its former Soviet satellite states. This was a year after the illegal invasion. Alexander Leslie, the associate threat intelligence analyst at Recorded Future's Insight Group, believes this is one of the most significant developments in the history of cybercrime. It has broad implications affecting nearly every aspect of the world of cybercrime.

In a recent interview with The Register, Leslie told them that these fractures can be felt in all facets of the Russian-speaking underground: digital fraud, dark web forums and marketplaces, ransomware gangs, and hacktivists, all of whom derive their revenue from Russian-speaking underground activities.

"Russia's military intervention in Ukraine has ushered in the era of volatility and unpredictability in the world of international cybercrime, which carries a multitude of implications for the defense community," Leslie said in a statement.

As per the report, Russian cybercrime refers to a wide range of crimes perpetrated by miscreants who speak Russian languages in a variety of parts of the world, including Russia, Ukraine, Belarus, the Baltics, the South Caucasus, and Central Asia. Leslie, during the time before the war, all of these criminal elements shared a common goal. This goal was refusing to target entities located in the Commonwealth of Independent States. This was so as not to draw attention from law enforcement. The day after the Russian government began attacking critical infrastructure on February 24, 2022, the Conti ransomware gang immediately declared its "full support" for the Russian government and pledged to use all the resources at its disposal to take back the critical infrastructure that had been destroyed. There were later claims that the country had condemned the war, but the damage had already been done at that point.

Hundreds of internal documents from Conti's internal domains were leaked by a Ukrainian security researcher on February 27, 2022. It was the so-called Conti leaks that led to the Trickbot leaks, which were able to reveal Trickbot's senior leadership by using the information revealed in the Conti data dump, which was appropriated by the Trickbot leaks. According to reports, Conti closed down its operations in the weeks that followed.

Moreover, Conti's rival gangs such as ALPHV (BlackCat) and LockBit neither declared their loyalty to the Kremlin to any significant extent, while on the other hand, some of his rival gangs did.

There is also a decrease in the number of ransomware attacks in the context of the war in general, which may be attributable to fewer Russian cyberattacks as well. It has been a year since the war started and fears of large-scale disruptions of Ukrainian and Western infrastructure have not yet been realized. Although Russia has not given up, Google reported that it would increase the targeting of Ukrainian users by 250 percent by the year 2022 compared to 2020. In contrast, it will increase the targeting of NATO users by 300 percent.

As experts point out, this is not necessarily an indictment of Russia's cyber capabilities. Instead, it is an indication of the effectiveness of Ukrainian cyber defense backed up by its Western allies and companies such as Google, Microsoft, and Amazon on the ground. This is a largely successful strategy.

The Georgia Institute of Technology's Nadiya Kostyuk, who specializes in modern warfare and cyber conflict, has said that that support was "crucial" to Ukraine's cyberspace remaining relatively unscathed, despite the geopolitical turmoil around the world.

It is currently apparent that Ukraine's cyber capabilities haven't kept up with those of Russia even though it has been developing them since 2014. According to her, Microsoft, along with other companies, had played a huge part in building more resilient networks and systems as well as defending Ukraine's cyberspace.

Forum Rules for the Russian Dark Web.

The war did not only expose the fault lines of ransomware gangs, but also other criminals associated with these gangs. It would appear that the invasion of Ukraine also violates an unwritten rule on Russian-language dark web forums, which holds that criminals would not target organizations in former Soviet states unless they were inside the country.

Despite the increased geographical decentralization of cybercriminal groups, Leslie predicts that the industry will become more centralized in the future.

During the kinetic war and in the immediate aftermath of it, there was also an increase in pro-Russian hacktivist groups. The 'second wave' of hacktivism took place around March 22, 2022, when Killnet's campaign against the Latvian government was initiated, following the initial wave of hacktivism, which included pre-existing groups such as the Stormous ransomware gang as well as new crews that were created to support the Russian war effort.

An Increase in the Number of Killnets

Despite that, Recorded Future claims that Killnet dominated this second wave of electronic music.

As a consequence of these attacks, the gang and its subgroups have expanded their targets beyond Europe. They have in recent years targeted the Americas, Asia, and other parts of the world.

Recorded Future says that most of the pro-Russian hacktivist groups active since the end of the war are no longer active despite estimates by security researchers such as @Cyberknow20 that there were 70 or more such groups active at the beginning of the war.

As the authors point out, although they identified about 100 such groups between February 24, 2022, and February 10, 2023, only a few remain active today. This is even though a total of about 100 groups were identified.

Even those that remain are not very effective, as there are only a few left. A new FBI report describes Killnets' distributed denial of service attacks as having "limited success" in the course of their attacks. Additionally, the researchers point out that their impact on the overall war effort has been "minimal" at best, in terms of the effects on the war effort.

Is 2023 Going to be a Year of Change?

A second year of the war is expected to bring more of the same from security researchers, with insider criminal gangs leaking information, hacktivist attacks making headlines, and database dumps being sold on dark-web forums - possibly with a rise in Russian and Belarusian databases that have been leaked - as well as credential leaks targeting .ru and .by domains that have been targeted by hackers. As a result of the malware-as-a-service threat landscape and the ongoing changing of the criminal forums on the dark web, "volatility and instability" are predicted to persist through 2023 throughout the Russian-speaking dark web market.

In the short term, Leslie predicts that the cyber efforts of Ukraine are likely to be stepped up in 2023. The public-private partnership has helped foster increased collaboration between intelligence agencies and the provision of active defensive support, and we anticipate that this will only increase in the years to come, Leslie added.

The majority of offensive operations are likely to be undertaken by the IT Army of Ukraine. This is expected to maintain support to enable a method of crowdsourced hacktivism that will continue to dominate offensive operations.

He says he expects more hack-and-leak attacks from the Ukrainian IT Army in the future, but the most dominant methods of attack will likely remain DDoS attacks and website defacement.

Russian Hackers Targeted an Oil Refinery in a NATO Nation



 

Russian Hackers

Cyber Attacks NATO Oil Refinery Russia-Ukraine War Russian Hackers

Russian Hackers Targeted an Oil Refinery in a NATO Nation

A hacker gang with Russian ties attempted to enter a petroleum refining business in a NATO member state in late August, the latest report by Palo Alto’s Unit 42 revealed.

According to the report, the attempted intrusion, which appears to have been unsuccessful, took place on August 30 by a hacking group called “Trident Ursa" and was executed through spear phishing emails using English-named files with words like "military assistance."

The news of Trident Ursa's most recent moves came just after National Security Agency Cyber Director Rob Joyce issued a warning that Russian state-sponsored hackers may target NATO nations' energy sectors in the upcoming months.

According to Joyce, these attacks could have "spillover" effects on Ukraine's neighbors, such as Poland, where Microsoft recently issued a warning that Russian-backed hackers had intensified their operations on the nation's logistics sector, a crucial supporter of the Ukrainian military effort.

Triton Ursa, also known as "Gamaredon" or "Armageddon," has connections to Russia's Federal Security Service and has been operating since at least 2014. It is primarily recognized for its phishing operations that gather intelligence. Since the commencement of the war in Ukraine, the gang has been quite active, and it has previously attempted to phish Ukrainian entities.

The infiltration of a petroleum refining company was likely done to boost "intelligence gathering and network access against Ukrainian and NATO partners," according to the Unit 42 assessment.

Trident Ursa is still one of the most "pervasive, intrusive, continually active and targeted APTs targeting Ukraine," according to Unit 42 researchers, who told CyberScoop, a cybersecurity portal, in an email that they don't think it has more than 10 members.

“This group’s operations are regularly caught by researchers and government organizations, and yet they don’t seem to care. They simply add additional obfuscation, new domains, and new techniques and try again — often even reusing previous samples,” the report reads.

Researchers claim that Trident Ursa is not technically advanced and instead relies on enticements and freely accessible resources. The gang uses geo-blocking to restrict their assaults, allowing users to download infected files only in selected nations. This lowers the visibility of their attacks and makes it harder to spot their efforts.

The Russian hacker organization also exhibits some unusual preferences for choosing domain names that make pop culture references. According to Unit 42's analysts, some of the domains contain names of American basketball teams, well-known rock bands like Metallica and Papa Roach, and characters from the hit TV programme "The Big Bang Theory."

The gang also has a pattern of harassing and abusing its rivals online. A Trident Ursa member going by the name "Anton" issued a warning on Twitter shortly after the Russian invasion of Ukraine, saying, "I'm coming for you." The gang appears to have named their subdomains after a Ukrainian cybersecurity expert.

Missile Supplier MBDA Breach Disclosed by CloudSEK



 

ZIP File

CloudSEK Data Breach MBDA NATO User Privacy ZIP File

Missile Supplier MBDA Breach Disclosed by CloudSEK

In July, a threat actor operating by the online alias Adrastea claimed to have breached MBDA. The threat actor describes itself as a team of independent cybersecurity experts and researchers.

According to Adrastea, they have taken 60 GB of sensitive data and discovered significant flaws in the organization's infrastructure. As per attackers, the stolen material includes details about the remaining workforce participating in military programs, business ventures, contract agreements, and correspondence with other businesses.

A new advisory about the suspected hacking campaign against MBDA has been published by security researchers at CloudSEK. The blog site, posted on Sunday, claimed that CloudSEK's researchers were successful in locating and decrypting the password-protected ZIP file holding the evidence for the data breach.

The hackers uploaded a post in which the password to unlock the file was mentioned. Two folders with the names 'MBDA' and 'NATO Diefsa' were included in the ZIP file.

The folder, according to the security professionals, contained files outlining the private personally identifiable information (PII) of MBDA's employees as well as numerous standard operating procedures (SOPs) supporting the need for NATO's Counter Intelligence to prevent threats related to terrorism, espionage, sabotage, and subversion (TESS).

The SOPs define NATO collection and plan functions, roles, and practices utilized in support of NATO operations and exercises. According to CloudSEK, "the SOPs also contain all IRM & CM (Intelligence Requirement Management and Collection Management) process activities that result in the successful and efficient execution of the intelligence cycle."

Internal drawings of missile system wiring diagrams, electrical schematic diagrams, and records of actions connecting the MBDA to the European Union's Ministry of Defence were also apparently included in the retrieved papers.

The cybersecurity firm made it clear that Adrastea's reputation as a threat actor is currently poor due to the numerous objections and concerns noted in the dark web forums where hackers purportedly posted the MBDA material.

Furthermore, as this is the group's first known activity, it is challenging to determine whether the material posted is accurate.

Classified NATO Documents Stolen from Portugal, Now Sold on Darkweb



 

Theft

Data Breach Data Leak data security NATO Safey Theft

Classified NATO Documents Stolen from Portugal, Now Sold on Darkweb

The Portuguese Armed Forces General Staff Agency (EMGFA) was reportedly the victim of a cyberattack that resulted in the theft of classified NATO documents, which are now being sold on the dark web.

EMGFA is the government agency in charge of controlling, planning, and operating Portugal's armed forces. The agency only discovered it had been hacked after hackers posted samples of the stolen material on the dark web, offering to sell the files to interested parties.

American cyber-intelligence agents discovered the sale of stolen documents and notified the US embassy in Lisbon, which alerted the Portuguese government of the data breach. A team of experts from the National Security Office (GNS) and Portugal's national cybersecurity centre was immediately dispatched to EMGFA to carry out the a complete screening of the body’s entire network.

The story was first reported by the local news outlet Diario de Noticias, which claims to have confirmed the accuracy of the information through anonymous sources close to the ongoing investigations. According to these sources, the leaked documents are of "extreme gravity," and their dissemination could jeopardise the country's credibility in the military alliance.

“It was a cyberattack prolonged in time and undetectable, through bots programmed to detect this type of documents, which were later removed in several stages,” stated one of DN’s sources.

EMGFA's computers are air-gapped, but the exfiltration used standard non-secure lines. As a result, the investigation's first conclusion is that the top military body violated its operational security rules at some point. As of today, no official statement has been issued by the Portuguese government on the subject, but the political opposition is increasing pressure for a briefing in response to DN's report.

Many members of parliament expressed surprise after learning that classified military documents were being sold on the internet and that the country's intelligence services had failed to detect such a critical breach. As a result, they asked the chairman of the parliamentary defence committee, Marcos Perestrello, to intervene and schedule hearings on the incident as soon as possible.

Hackers Sell Classified Data of Missile Firm MBDA, NATO Launches Investigation



 

NATO

Confidential Data Data Breach MBDA NATO

Hackers Sell Classified Data of Missile Firm MBDA, NATO Launches Investigation

Hackers claim classified data on sale

A cybercrime gang is selling confidential data which was stolen from MBDA Missile Systems (A European Firm.) For the users' information, MBDA is a European company that makes missiles and other weapons.

It was established in 2001 from a merger of British, Italian, and French companies. MBDA is the world's second largest missile maker, the first being Boeing.

The company has three main product lines- air-to-surface missiles, air-to-air missiles, and surface-to-air missiles. The weapons are used by the militaries of more than 40 countries.

About MBDA

MBDA's headquarters are in Paris, France. The company has manufacturing setups in Britain, Spain, France, and Italy. It has more than 13,000 employees.

Unknown hackers claim that they have confidential military data accessed from MBDA after a successful data attack.

As observed by HackRead.com, in the beginning, threat actors using Russian and English hacking platforms were selling around 80 GB of stolen data for 15 BTC (approx $294,000).

Company admits that data breach happened

But, on August 29th, the gang lowered the price to 1BTC ($19,000) for data worth 70GB. On the other hand, BBC, MBDA, has admitted that part of its data were hacked after breaching an external hard disk.

NATO has launched an investigation into selling top-secret weapon and missile data files online. MBDA is collaborating with investigation authorities in Italy, as it is the place where the data attacks happened.

The investigation is focusing on one of the firm's suppliers. One should note that NATO is among MBDA's clients. A NATO representative said that they are assessing claims relating to data allegedly stolen from MBDA.

He also said that there's no confirmation that the NATO network was compromised. The firm says that it followed all required measures to protect its networks.

MBDA'S Stand

It insists that the data compromise happened many weeks ago and the breached data is not sensitive or classified. MBDA denies the hacking group's claims that they are selling confidential military data.

No hacking of our secure networks has occurred. MBDA can confirm that there is no protectively marked data from MBDA involved, said MBDA.

HackRead reports, "MBDA further explained that it refused to yield to the hackers’ ransom demands, which is why they are spreading misinformation on the internet to force the company to pay the ransom. However, the company won’t give in and vowed to take all legal actions against the blackmailers."

The data was still on sale, during the time this article was written.

South Korea Joins NATO's Cyber Research Centre, Becomes First Asian Member



 

South Korea

CCDCOE Cyber defense Cyber Security NATO South Korea

South Korea Joins NATO's Cyber Research Centre, Becomes First Asian Member

South Korean intelligence agency on Thursday said that South Korea has joined a cyber defense group under NATO (North Atlantic Treaty Organization), becoming its first Asian member community. ZDNet reports "South Korea had suffered numerous cyberattacks in the past with targets ranging from state-run nuclear research institutes to cryptocurrency companies, most of which were allegedly committed by North Korean hacking groups."

According to National Intelligence Service (NIS), South Korea, along with Luxembourg and Canada, have been added to the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE), a think tank from Tallinn, Estonia. It supports member countries and NATO with cyber defense research, exercises, and training. CCDCOE was founded in 2008 by NATO countries, on behalf of Estonia's initiative, as a response to the country suffering intense cyberattacks done by Russia.

With the inclusion of the three latest members, CCDCOE now has 32 members among which, 27 are sponsored members of NATO and 5 contributing members, which includes South Korea, which is not a part of NATO. NIS said that South Korea has been active since 2019 to become a member of CCDCOE to learn cyber defense expertise to safeguard the country's infrastructure backbone, and to plan out a global strategy. NIS is planning to send more staff to the center and increase the scope of joint training. Cyberattacks were making a massive impact on users and countries that need global cooperation to respond.

South Korea will work alongside CCDCOE members to formulate a robust cyber defense system. "Even prior to becoming an official member of the center, South Korea had taken part in CCDCOE's large-scale, live-fire cyber defense exercise, Locked Shields, where thousands of experts from member nations and partners jointly defended a fictional country against simulated cyberattacks," says ZDNet.

Bangladesh Cyber Incident Response Team has Issued a Warning About Malware Attacks Around Eid



 

NATO

Bangladesh Cyber Army Botnets CIA Cyber Attacks DDOS Tools keylogger Malicious actor NATO

Bangladesh Cyber Incident Response Team has Issued a Warning About Malware Attacks Around Eid

Officials have warned of a possible cyber-attack on Bangladesh's financial and other key institutions' computer systems during the Eid vacations. According to a statement issued by the Digital Security Agency, the affected authorities must install or update anti-DDOS hardware and software.

Officials believe the warning was sent by the government's specialized cyber-threat agency as a global cyberwar erupts in the Russia-Ukraine conflict, with NATO assisting the latter with arms support.

The Bangladesh Computer Council's e-Government Computer Incident Response Team (BGD e-GOV CIRT) also recommends all key information facilities' internal systems be checked and monitored.

Following the current conflict between Ukraine and Russia, Tarique M Barkatullah, director (operations) of the Digital Security Agency and project director of the BGD e-GOV CIRT, stated “hackers from both sides are using important information infrastructures of different countries to spread botnets and malware and attack each other.”

Botnets are computer networks infected with malware (such as computer viruses, key loggers, and other malicious code or malware) and remotely controlled by criminals, either for monetary gain or to launch assaults on websites or networks.

BGD e-Gov CIRT discovered over 1400 IP numbers used in Russia after analyzing the warning message issued by the Russian Computer Security Incident Response Team. According to the CIA, hackers are using these IPs to spread propaganda and launch distributed denial of service (DDoS) operations.

Tareq M Barkatullah, project director of BGD e-Gov CIRT, remarked in this reference: “The country's afflicted financial institutions and public service suppliers are being hampered in providing its usual services due to the exploitation of these IP-enabled Bangladeshi servers."

According to the Financial Express, Prof Dr. Md Salim Uddin, chairman of the executive committee of Islami Bank Bangladesh Limited (IBBL), several financial institutions have been targeted by cyber-attacks as a result of the current crisis between Ukraine and Russia.

IBBL is well-prepared to thwart any cyber-attack because it is always adopting new technological solutions. Among the internal systems, he emphasized strengthening cyber-security with new tech solutions and monitoring systems. To prevent all types of cyber threats, financial institutions should join an organization or platform to improve cooperation and integration. He further urges the government to expand collaboration and support in this area in order to combat rising cyber-threats in the future.

Hackers from China's 'Mustang Panda' were Utilizing New 'Hodur' Malware



 

Trojan

Chinese Hackers DLL load hijacking ESET ISP malware NATO THORChain Trojan

Hackers from China's 'Mustang Panda' were Utilizing New 'Hodur' Malware

Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta), a China-based advanced persistent threat (APT), has been traced to an ongoing cyberattack campaign using a formerly undocumented variation of the PlugX remote access trojan on affected workstations mostly in and around Southeast Asia. For its similarities to another PlugX (aka Korplug) variation called THOR which surfaced in July 2021, slovak cybersecurity firm ESET termed the current version Hodur.

Korplug is a proprietary virus used widely, it was initially uncovered in a 2020 investigation that looked into Chinese hackers' activities against Australian targets. Mustang Panda employs phishing lures with counterfeit papers to target European embassies, ISPs (Internet Service Providers), and research institutes in the most recent known campaign, according to cybersecurity firm ESET. "Anti-analysis measures and control-flow obfuscation are used at every level of the deployment process," the firm told.

Hodur is based on PlugX, a remote access tool that "allows remote users to steal data or take control of impacted systems without authorization. It can copy, move, rename, execute, and delete files, as well as log keystrokes and fingerprint the infected system." The infections end with the implementation of the Hodur backdoor on the infected Windows host, irrespective of the phishing lure used.

As formerly stated, the campaign begins simply, with the group phishing its targets using current events. Proofpoint identified it using a NATO diplomat's email address to send out.ZIP and.EXE files labeled "Situation at the EU Borders with Ukraine" last month. If a victim accepts the bait, a legitimate, properly signed executable prone to DLL search-order hijacking will be delivered. Russia, Greece, Cyprus, South Africa, Vietnam, Mongolia, Myanmar, and South Sudan are the countries targeted in this campaign.

ESET claims to have sampled sophisticated custom loaders as well as new Korplug (Hodur) versions still using DLL side-loading but has considerably more robust obfuscation and anti-analysis techniques across the infection chain. The side-loading custom DLL loader uses a digitally-signed genuine executable, in this case, a SmadAV file, and leverages a known flaw. Except for one, which loads the new Korplug variation, the loader's many functions are all fake.

As it is a Chinese actor with a history of pursuing higher political espionage purposes, the scope of its targeting should be rather consistent.

Cyberattack on NATO Can Trigger Collective Defense Issue



 

Ukraine

Cyber Attacks Cybersecurity NATO Russia Ukraine

Cyberattack on NATO Can Trigger Collective Defense Issue

Cyberattack on a NATO member State can incite Article 5, the collective defense clause, said a NATO official on Monday, amid threats that disturbance in cyberspace related to Russia's invasion of Ukraine could reach out to other countries. The military alliance since the beginning has made it clear that a cyberattack attack could entice the clause, however, such a scenario is mostly considered hypothetical. Allie also acknowledges that the effect of special malicious activities (Cybersecurity) in some situations can be considered an armed attack.

"These are things that have been in hypothetical discussion for a decade, but because we've not come to any universal conclusion on what those standards should be, what level of attribution is needed, we're kind of in a very grey area," said U.S. Senate Intelligence Committee Chairman Mark Warner. As per officials, they will not speak about the seriousness of cyberattack, in triggering a collective response. Any action includes economic and diplomatic sanctions, conventional forces, and cyber measures.

It all depends on the seriousness of the attack. To check if a cyberattack meets the set threshold of an attack that is large enough to enable Article 5 is decided by the NATO allies. The US and Britain have been alarmed about possible cyberattacks ok Ukraine which can lead to global consequences. For instance, a harmful virus was made to attack Ukranian networks which later spread to other areas.

Another concern among cybersecurity experts is that Russia can work along with gangs that operate via malicious software, for instance, the infamous US colonial pipeline incident which happened last year. "According to Reuters "Mark posed the hypothetical case of a Russian cyberattack on Ukraine that impacts NATO member Poland, triggering power outages that result in hospital patients dying or knocking out traffic lights, causing fatal road accidents involving U.S. troops deployed there."

Ukraine: DDoS Attacks on State Websites Continue



 

United States

Cyber Attacks CyberWar DDOS Attack Fancy Bear NATO Russia Ukraine Ukraine Websites Ukrainian Cyber Security United States

Ukraine: DDoS Attacks on State Websites Continue

Since February 23, some Ukrainian government websites have been subjected to DDoS attacks: web resources of the Ministry of Defense, the Verkhovna Rada of Ukraine, the Ministry of Foreign Affairs and others have suffered interruptions.

The Insider publication (the organization is included in the list of foreign agents by the Ministry of Justice of Russia), referring to the data of the independent cyber analyst Snorre Fagerland, stated that the hacker group ART23 (Fancy Bear), which is attributed to links with the Main Intelligence Directorate of the Russian Federation, was behind the attacks.

However, Igor Bederov, head of the Information and Analytical Research Department at T.Hunter, called this statement a provocation. "The investigation of a cyberattack (attribution) is a long and complex process that cannot be carried out from beginning to end in hours. Analysis of hacker software and malicious code is always a long and painstaking process," Mr. Bederov said.

According to him, even if traces leading to Fancy Bear were indeed found, it's still impossible to say that this particular group was behind the attack. Mr. Bederov thinks that other hackers could have also taken advantage of the malware previously used by Fancy Bear. It's possible because hacker tools are openly resold on the Darknet.

"Primary attribution is based on matching the hacker code used in today's attack with the code used in yesterday's attack, as well as special characters specific to a language group. This approach is fundamentally wrong, because the code can be stolen or bought, and the linguistic features can be imitated," said the expert.

Mr. Bederov also noted that within the framework of pro-state activity, mainly Chinese groups like to engage in substitution of attribution. In addition, according to him, the NATO cyber intelligence center located in Tallinn was previously noticed for the substitution of attribution.

Earlier it was reported that DDoS attacks on the website of the Ministry of Defense of Ukraine could have been deliberately set up by the United States. Earlier, Viktor Zhora, Deputy Chairman of the State Service for Special Communications and Information Protection of Ukraine, said that the government of Ukraine is ready for the scenario of forced destruction of secret data on servers. According to him, the authorities do not want to take risks and are not going to leave documentation and detailed information about the population of Ukraine to the enemy.

He also said that if Russia gets access to government passwords, Ukrainian specialists "will quickly block access to hacked accounts."



 

NATO

Cloud Security Cyber Crime Europe Hackers NATO

NATO's Cloud Platform Hacked

The SOA & IdM platform is utilized by NATO and is classified as secret. It was used to conduct various critical functions inside the Polaris programme. The North Atlantic Treaty Organization (NATO), commonly known as the North Atlantic Alliance, is an intergovernmental military alliance made up of 30 European and North American countries.

The organization is responsible for carrying out the North Atlantic Treaty, which was signed on April 04, 1949. NATO is a collective defense organization in which NATO's independent member states commit to defending each other in the event of an external attack. NATO's headquarters are in Haren, Brussels, Belgium, and Allied Command Operations' headquarters is near Mons, Belgium.

Polaris was developed as part of NATO's IT modernization effort and uses the SOA & IdM platform to provide centralized security, integration, and hosting information management. The military alliance classified the platform as a secret because it performs multiple key roles.

According to the hackers, they used a backdoor to make copies of the data on this platform and attempted to blackmail Everis. They went even further, making jokes about handing over the stolen material to Russian intelligence.

Paul Howland, Polaris Program Officer explained the benefits of the program: “This project has the potential to be a game-changer in how NATO will develop and deploy its operational services in the future. It will drive innovation and reduce costs. Operational by ensuring a much greater reuse of deployed capacities".

The hackers who carried out the attack said they had no idea they could take advantage of a flaw in the NATO platform at first. Furthermore, they concentrated solely on Everis' corporate data in Latin America, despite NATO's announcement that it was ready to respond to a cyber-attack. One of the secure NATO systems was among Everis' subsidiaries, much to their astonishment.

After analyzing the company and discovering documents connected to drones and military defense systems, the hackers continued stealing more data from Everis networks. They justified their actions by claiming that they were not "for peace on earth and in the cyber world" when they slowed the development of the Polaris programme. The hackers sought a ransom of XMR 14,500 from Everis in exchange for not linking the company's identity to the LATAM Airlines data breach. They've also demanded this money in exchange for not revealing any NATO data.

Japan Ups Its Cyber-Warfare Game; Becomes a Member of NATO.



 

NATO

Cybersecurity Japan NATO

Japan Ups Its Cyber-Warfare Game; Becomes a Member of NATO.

Cautiously judging China for possible cyber threats, on December 2, Japan in actuality became a new contributor in NATO’s cyber-security war strategies by becoming a member.

Up till 2018, only an observer, Japan moved up its status in the field of “cyber-warfare”.

The Defense Ministry of Japan reportedly mentioned that it has very little experience when it comes to international exercises. There are several things and issues they need to work on, the language barrier being on the list.

The Cyber defenses Japan had to offer so far have always been a matter of criticism compared especially with those of the western nations which made them wonder about any possible cyber-suffrage that could be caused.

China’s infamous cyber-history includes several hacker organizations that are clearly blossoming. From attacks on the government to corporate servers, they’ve done it all.

Reportedly, China is feared to have massive cyber-attack efficacies to match that of Russia’s and that’s what’s causing the U.S and the other European countries to lose sleep.

Pondering over data breaches, Washington has urged other nations to shun Chinese-made telecommunication gear for their “fifth-generation wireless infrastructure”.

The NATO’s Cyber Coalition has its command center in Estonia and proposes one of the world’s greatest exercises of its type. It’s in full swing, with participants like Ukraine, the European Union, and the U.S. totaling up to over 30.

As part of the cyber-security exercise, the “Cyber Coalition” drills model situations that vary from “state compromised computer systems” to the role of cyber-attacks in cross-border battles and even defense against virtual enemies.



 

NATO

Cyber Security Hacking National Security NATO

Cyber Space Is Now A New Domain?

All the member countries of The North Atlantic Treaty Organization (NATO) are confident that all the member countries would retaliate if even a single member country is under cyber-attack.

The member countries include European countries, the US and Canada.

According to Article 5 of the founding treaty of NATO, “a collective defence commitment” could be made under the above circumstances. The article hasn’t been provoked since the 9/11 attack.

Per sources, “Cyber-space” has been designated as a domain which shall be defended and operated effectively like land, sea and air.

NATO hasn’t made such claims for the first time. The “Wannacry ransomware” attack which had wreaked havoc in the UK and NHS didn’t get the support of the Article 5.

There is no doubting the fact that considering an attack on one country as an attack on other countries too will be a herculean task when it comes to implementation.

The aspects and dimensions of an attack when it comes to cyber-crime and cyber-space are way different and abstract as compared to other forms of war.

Countries like Russia and Ukraine have been a part of such debates for quite some time now and there is no resolving and finding out the actual dimensions of an “attack”.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Showing result(s) for

Popular Posts

Pages

Menu Item

The Tightrope Walk

The Steadfast Defender Exercise

The German Leak Incident

Russia’s Perception

Lessons Learned from Ukraine

The Way Forward

Hackers claim classified data on sale

About MBDA

Company admits that data breach happened

MBDA'S Stand