Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Russia. Show all posts
Youtube
Blackmail Internet malware Russia SilentCryptominer Social Media Youtube

SilentCryptominer Threatens YouTubers to Post Malware in Videos

SilentCryptominer Threatens YouTubers to Post Malware in Videos

Experts have discovered an advanced malware campaign that exploits the rising popularity of Windows Packet Divert drivers to escape internet checks.

Malware targets YouTubers 

Hackers are spreading SilentCryptominer malware hidden as genuine software. It has impacted over 2000 victims in Russia alone. The attack vector involves tricking YouTubers with a large follower base into spreading malicious links. 

“Such software is often distributed in the form of archives with text installation instructions, in which the developers recommend disabling security solutions, citing false positives,” reports Secure List. This helps threat actors by “allowing them to persist in an unprotected system without the risk of detection. 

Innocent YouTubers Turned into victims

Most active of all have been schemes for distributing popular stealers, remote access tools (RATs), Trojans that provide hidden remote access, and miners that harness computing power to mine cryptocurrency.” Few commonly found malware in the distribution scheme are: Phemedrone, DCRat NJRat, and XWorm.

In one incident, a YouTuber with 60k subscribers had put videos containing malicious links to infected archives, gaining over 400k views. The malicious links were hosted on gitrock[.]com, along with download counter crossing 40,000. 

The malicious files were hosted on gitrok[.]com, with the download counter exceeding 40,000.

Blackmail and distributing malware

Threat actors have started using a new distribution plan where they send copyright strikes to content creators and influencers and blackmail them to shut down channels if they do not post videos containing malicious links. The scare strategy misuses the fame of the popular YouTubers to distribute malware to a larger base. 

The infection chain starts with a manipulated start script that employs an additional executable file via PowerShell. 

As per the Secure List Report, the loader (written in Python) is deployed with PyInstaller and gets the next-stage payload from hardcoded domains.  The second-stage loader runs environment checks, adds “AppData directory to Microsoft Defender exclusions” and downloads the final payload “SilentCryptominer.”

The infamous SilentCryptoMiner

The SilentCryptoMiner is known for mining multiple cryptocurrencies via different algorithms. It uses process hollowing techniques to deploy miner code into PCs for stealth.

The malware can escape security checks, like stopping mining when processes are running and scanning for virtual environment indicators. 

Read more »
Russia cyber threats
Cyber Defence Cyber Security Cyber Warfare FBI Russia Russia cyber threats

U.S. Pauses Offensive Cyberoperations Against Russia Amid Security Concerns

 

Defense Secretary Pete Hegseth has paused offensive cyberoperations against Russia by U.S. Cyber Command, rolling back some efforts to contend with a key adversary even as national security experts call for the U.S. to expand those capabilities. A U.S. official, speaking on condition of anonymity to discuss sensitive operations, on Monday confirmed the pause. 

Hegseth’s decision does not affect cyberoperations conducted by other agencies, including the CIA and the Cybersecurity and Infrastructure Security Agency. But the Trump administration also has rolled back other efforts at the FBI and other agencies related to countering digital and cyber threats. The Pentagon decision, which was first reported by The Record, comes as many national security and cybersecurity experts have urged greater investments in cyber defense and offense, particularly as China and Russia have sought to interfere with the nation’s economy, elections and security. 

Republican lawmakers and national security experts have all called for a greater offensive posture. During his Senate confirmation hearing this year, CIA Director John Ratcliffe said America’s rivals have shown that they believe cyberespionage — retrieving sensitive information and disrupting American business and infrastructure — to be an essential weapon of the modern arsenal. “I want us to have all of the tools necessary to go on offense against our adversaries in the cyber community,” Ratcliffe said. Cyber Command oversees and coordinates the Pentagon’s cybersecurity work and is known as America’s first line of defense in cyberspace. It also plans offensive cyberoperations for potential use against adversaries. 

Hegseth’s directive arrived before Friday’s dustup between President Donald Trump and Ukrainian President Volodymyr Zelenskyy in the Oval Office. It wasn’t clear if the pause was tied to any negotiating tactic by the Trump administration to push Moscow into a peace deal with Ukraine. Trump has vowed to end the war that began when Russia invaded Ukraine three years ago, and on Monday he slammed Zelenskyy for suggesting the end to the conflict was “far away.” 

The White House did not immediately respond to questions about Hegseth's order. Cyber warfare is cheaper than traditional military force, can be carried out covertly and doesn’t carry the same risk of escalation or retaliation, making it an increasingly popular tool for nations that want to contend with the U.S. but lack the traditional economic or military might, according to Snehal Antani, CEO of Horizon3.ai, a San Francisco-based cybersecurity firm founded by former national security officers. Cyberespionage can allow adversaries to steal competitive secrets from American companies, obtain sensitive intelligence or disrupt supply chains or the systems that manage dams, water plants, traffic systems, private companies, governments and hospitals. The internet has created new battlefields, too, as nations like Russia and China use disinformation and propaganda to undermine their opponents. 

Artificial intelligence now makes it easier and cheaper than ever for anyone — be it a foreign nation like Russia, China or North Korea or criminal networks — to step up their cybergame at scale, Antani said. Fixing code, translating disinformation or identifying network vulnerabilities once required a human — now AI can do much of it faster. “We are entering this era of cyber-enabled economic warfare that is at the nation-state level,” Antani said. “We’re in this really challenging era where offense is significantly better than defense, and it’s going to take a while for defense to catch up.” Meanwhile, Attorney General Pam Bondi also has disbanded an FBI task force focused on foreign influence campaigns, like those Russia used to target U.S. elections in the past. And more than a dozen people who worked on election security at the Cybersecurity and Infrastructure Security Agency were put on leave. 

These actions are leaving the U.S. vulnerable despite years of evidence that Russia is committed to continuing and expanding its cyber efforts, according to Liana Keesing, campaigns manager for technology reform at Issue One, a nonprofit that has studied technology’s impact on democracy. “Instead of confronting this threat, the Trump administration has actively taken steps to make it easier for the Kremlin to interfere in our electoral processes,” Keesing said.
Read more »
Russia cyber threats
Cyber Security Cybersecurity Russia Russia cyber threats

Trump Administration Halts Offensive Cyber Operations Against Russia Amid Ukraine War Talks

 

The Trump administration has issued orders to suspend U.S. offensive cyber operations targeting Russia, a move reportedly aimed at encouraging Russian President Vladimir Putin to engage in diplomatic discussions over the war in Ukraine. According to The Record, U.S. Defense Secretary Pete Hegseth directed the halt, which is expected to remain in place indefinitely. 

This decision comes in the wake of a heated Oval Office dispute on Friday between President Donald Trump, Vice President JD Vance, and Ukrainian President Volodymyr Zelensky over continued U.S. financial and military support for Ukraine. The previous Biden administration had strongly backed Ukraine, committing billions of dollars in aid and weaponry to counter Russian aggression. 

However, the Trump administration’s shift in stance has raised uncertainty regarding America’s future role in the conflict. Meanwhile, British Prime Minister Keir Starmer announced on Sunday that European nations would establish a “coalition of the willing” to continue providing support to Ukraine. 

The extent of the U.S. cyber operations suspension remains unclear, but officials stress that understanding Russia’s objectives in Ukraine is crucial for assessing Moscow’s broader geopolitical strategy, particularly in the realm of cyber espionage. 

Hegseth’s directive is reportedly part of a larger reassessment of Washington’s involvement in the war and its broader operations against Russia. While intelligence-gathering activities remain unaffected, the decision to halt offensive cyber operations is seen as a calculated risk. Trump has previously blamed Ukraine for the war and has labeled Zelensky a “dictator” who, in his view, is “not ready for peace.”
Read more »
Russia
Aerospace Cyber Attacks Europe Poland Russia

Poland’s Space Agency Investigates Cyberattack, Works On Security Measures

 



Poland’s space agency, POLSA, has reported a cyberattack on its systems, prompting an ongoing investigation. In response to the breach, the agency quickly disconnected its network from the internet to prevent further damage. As of Monday, its official website was still offline.  


Government and Cybersecurity Teams Take Action

Poland’s Minister of Digital Affairs, Krzysztof Gawkowski, confirmed that cybersecurity experts detected unauthorized access to POLSA’s systems. Security specialists have since secured the affected infrastructure and are now working to determine who was behind the attack. However, officials have not yet shared whether the hackers were financially motivated cybercriminals or politically driven groups. The method used to infiltrate the agency’s network also remains undisclosed.  


Why Hackers Target Space Agencies

Organizations involved in space research and technology are often appealing targets for cybercriminals. Many of these agencies collaborate with defense and intelligence sectors, making them vulnerable to attacks that could expose confidential projects, satellite communications, and security-related data. A cyberattack on such an agency could disrupt critical operations, leak classified research, or even interfere with national security.  


Poland Faces a Surge in Cyberattacks

Poland has become one of the most frequently targeted countries in the European Union when it comes to cyber threats. Earlier this year, Gawkowski stated that the country experiences more cyber incidents than any other EU nation, with most attacks believed to be linked to Russian actors. Poland’s strong support for Ukraine, both in military assistance and humanitarian aid, has likely contributed to this rise in cyber threats.  

The number of cyberattacks against Poland has increased drastically in recent years. Reports indicate that attacks doubled in 2023 compared to previous years, with over 400,000 cybersecurity incidents recorded in just the first half of the year. In response, the Polish government introduced a cybersecurity initiative in June, allocating $760 million to strengthen the country’s digital defenses.  


Other Space Agencies Have Also Been Targeted

This is not the first time a space agency has fallen victim to cyberattacks. Japan’s space agency, JAXA, has faced multiple breaches in the past. In 2016, reports suggested that JAXA was among 200 Japanese organizations targeted by suspected Chinese military hackers. In 2023, unknown attackers infiltrated the agency’s network, raising concerns that sensitive communications with private companies, such as Toyota, may have been exposed.  

As space technology continues to advance, protecting space agencies from cyber threats has become more crucial than ever. These organizations handle valuable and often classified information, making them prime targets for espionage, sabotage, and financial cybercrime. If hackers manage to breach their systems, the consequences could be severe, ranging from stolen research data to disruptions in satellite operations and defense communications.  

POLSA’s ongoing investigation will likely uncover more details about the cyberattack in the coming weeks. For now, the incident highlights the increasing need for governments and space organizations to invest in stronger cybersecurity measures to protect critical infrastructure.

Read more »
Telecom
Beeline Cyber Attacks DDOS Attacks Internet Russia Telecom

Russian Telecom Company "Beeline" Hit, Users Face Internet Outage

Russian Telecom Company "Beeline" Hit, Users Face Internet Outage

Internet outage in, telecom provider attacked

Users in Russia faced an internet outage in a targeted DDoS attack on Russian telecom company Beeline. This is the second major attack on the Moscow-based company in recent weeks; the provider has over 44 million subscribers.

After several user complaints and reports from outage-tracking services, Beeline confirmed the attack to local media.

According to Record Media, internet monitoring service Downdetector’s data suggests “most Beeline users in Russia faced difficulties accessing the company’s mobile app, while some also reported website outages, notification failures and internet disruptions.” 

Impact on Beeline

Beeline informed about the attack on its Telegram channel, stressing that the hacker did not gain unauthorized access to consumer data. Currently, the internet provider is restoring all impacted systems and improving its cybersecurity policies to avoid future attacks. Mobile services are active, but users have cited issues using a few online services and account management features.

Rise of threat in Russia

The targeted attack on Beeline is part of a wider trend of cyberattacks in Russia; in September 2024, VTB, Russia’s second-largest bank, faced similar issues due to an attack on its infrastructure. 

These attacks highlight the rising threats posed by cyberattacks cherry-picking critical infrastructures in Russia and worldwide.

Experts have been warning about the rise in intensity and advanced techniques of such cyberattacks, damaging not only critical businesses but also essential industries that support millions of Russian citizens. 

Telecom companies in Russia targeted

How Beeline responds to the attack and recovers will be closely observed by both the telecom industry and regulators. The Beeline incident is similar to the attack on Russian telecom giant Megafon, another large-scale DDoS attack happened earlier this year. 

According to a cybersecurity source reported by Forbes Russia, the Beeline attack in February and the Megafon incident in January are the top hacktivist cyberattacks aiming at telecom sectors in 2025. 

According to the conversation with Forbes, the source said, “Both attacks were multi-vector and large-scale. The volume of malicious traffic was identical, but MegaFon faced an attack from 3,300 IP addresses, while Beeline was targeted via 1,600, resulting in a higher load per IP address.”

Read more »
Trojan
Cyber Security Google AMP Phishing Attacks RATs Russia TikTok Trojan

Hackers Use Russian Domains for Phishing Attacks

Hackers Use Russian Domains for Phishing Attacks

The latest research has found a sharp rise in suspicious email activities and a change in attack tactics. If you are someone who communicates via email regularly, keep a lookout for malicious or unusual activities, it might be a scam. The blog covers the latest attack tactics threat actors are using.

Malicious email escapes SEGs

Daily, at least one suspicious email escapes Secure Email Getaways (SEGs), like Powerpoint and Microsoft, every 45 seconds, showing a significant rise from last year’s attack rate of one of every 57 seconds, according to the insights from Cofense Intelligence’s third-quarter report.

A sudden increase in the use of remote access Trojans (RATs) allows hackers to gain illegal access to the target’s system, which leads to further abuse, theft, and data exploitation.

Increase in Remote Access Trojan (RAT) use

Remcos RAT, a frequently used tool among hackers, is a key factor contributing to the surge in RAT attacks. It allows the attacker to remotely manipulate infected systems, exfiltrate data, deploy other malware, and obtain persistent access to vulnerable networks.

According to the data, the use of open redirects in phishing attempts has increased by 627%. These attacks use legitimate website functionality to redirect users to malicious URLs, frequently disguised as well-known and reputable domains.

Using TikTok and Google AMP

TikTok and Google AMP are frequently used to carry out these attacks, leveraging their worldwide reach and widespread use by unknowing users.

The use of malicious Office documents, particularly those in.docx format, increased by roughly 600%. These documents frequently include phishing links or QR codes that lead people to malicious websites.

Microsoft Office documents are an important attack vector due to their extensive use in commercial contexts, making them perfect for targeting enterprises via spear-phishing operations.

Furthermore, there has been a substantial shift in data exfiltration strategies, with a rise in the use of.ru and.su top-level domains (TLDs). Domains with the.ru (Russia) and.su (Soviet Union) extensions saw usage spikes of more than fourfold and twelvefold, respectively, indicating cybercriminals are turning to less common and geographically associated domains to evade detection and make it more difficult for victims and security teams to track data theft activities.

Read more »
SQL
Cyber Attacks Data Security Tiktok Election Security Elections Infrastructure Romania Russia Security Breaches SQL

Romania Annuls Elections After TikTok Campaign and Cyberattacks Linked to Russia

 


Romania’s Constitutional Court (CCR) has annulled the first round of its recent presidential elections after intelligence reports revealed extensive foreign interference. Cyberattacks and influence campaigns have raised serious concerns, prompting authorities to reschedule elections while addressing security vulnerabilities. 
  
Cyberattacks on Election Infrastructure

The Romanian Intelligence Service (SRI) uncovered relentless cyberattacks targeting key election systems between November 19th and November 25th. Attackers exploited vulnerabilities to compromise platforms such as:
  • Bec.ro: Central Election Bureau system.
  • Registrulelectoral.ro: Voter registration platform.
Key findings include:
  • Methods Used: SQL injection and cross-site scripting (XSS) exploited to infiltrate systems.
  • Leaked Credentials: Stolen login details shared on Russian cybercrime forums.
  • Server Breach: A compromised server linked to mapping data allowed access to sensitive election infrastructure.
  • Origin: Attacks traced to devices in over 33 countries, suggesting state-level backing.
While the SRI has not explicitly named Russia, the attack methods strongly indicate state-level involvement. TikTok Influence Campaign Beyond cyberattacks, a coordinated TikTok influence campaign sought to sway public opinion in favor of presidential candidate Calin Georgescu:
  • Influencers: Over 100 influencers with a combined 8 million followers participated.
  • Payments: Ranged from $100 for smaller influencers to substantial sums for those with larger followings.
  • Impact: Pro-Georgescu content peaked on November 26th, ranking 9th among TikTok’s top trending videos.
  • Activity Pattern: Many accounts involved were dormant since 2016 but became active weeks before the election.
Romania’s Ministry of Internal Affairs (MAI) noted parallels between Georgescu’s messaging and narratives supporting pro-Russian candidates in Moldova, further tying the campaign to Russian influence efforts. Geopolitical Implications Romania’s Foreign Intelligence Service (SIE) linked these actions to a broader Russian strategy to destabilize NATO-aligned countries:

Goals: Undermine democratic processes and promote eurosceptic narratives.

Target: Romania’s significant NATO presence makes it a critical focus of Russian propaganda and disinformation campaigns.

Election Annulment and Future Challenges 
 
On November 6th, the CCR annulled the election’s first round, citing security breaches and highlighting vulnerabilities in Romania’s electoral infrastructure. Moving forward:
  • Cybersecurity Enhancements: Authorities face mounting pressure to strengthen defenses against similar attacks.
  • Disinformation Countermeasures: Efforts to combat influence campaigns are essential to safeguarding future elections.
  • Warning from SRI: Election system vulnerabilities remain exploitable, raising concerns about upcoming elections.
The incidents in Romania underscore the rising threat of cyberattacks and influence operations on democratic processes worldwide, emphasizing the urgent need for robust security measures to protect electoral integrity.
Read more »
Russia
Attack Campaign Cyber Attacks Data Leak Election Romania Russia

Romania's Election System Hit by Over 85,000 Cyberattacks, Russian Links Suspected


Romania’s intelligence service in its declassified report disclosed the country’s election systems were hit by over 85,000 cyberattacks. Attackers have also stolen login credentials for election-related sites and posted the information on a Russian hacker forum just before the first presidential election round. 

Data leaked on Russian site

The data was likely stolen from attacking authentic users and exploiting legitimate training servers. Russia has denied any involvement in Romania’s election campaign.

The Romanian Intelligence Service (SRI) said, “The attacks continued intensively including on election day and the night after elections. The operating mode and the amplitude of the campaign lead us to conclude the attacker has considerable resources specific to an attacking state."

About the attack

SRI says the IT infrastructure of Romania’s Permanent Electoral Authority (AEP) was targeted on 19th November. Threat actors disrupted a server containing mapping data (gis.registrulelectoral.ro) that was connected with the public web as well as AEP’s internal network.

After the attack, log in details of Romanian election websites- bec.ro (Central Election Bureau), roaep.ro, and registrulelectoral.ro (voter registration), were posted on a Russian cybercrime platform.

Motives for the attack

SRI believes the attacks 85,000 attacks lasted till November 25th, the motive was to gain access to election infrastructure and disrupt the systems to compromise election information for the public and restrict access to the systems. The declassified report mentions the attacker attempted to compromise the systems by exploiting SQL injection and cross-site scripting (XSS) flaws from devices in 33 countries. 

Romanian agency has warned that bugs are still affecting the election infrastructure and could be abused to move within the network and build a presence.

SRI notes in the declassified report that the threat actor tried to breach the systems by exploiting SQL injection and cross-site scripting (XSS) vulnerabilities from devices in more than 33 countries.

Influence campaign on elections

SRI believes Russia orchestrated the attacks as a part of a larger plan to disrupt democratic elections in Eastern Europe. The agency says Moscow perceives Romania as an ‘enemy nation’ because the latter supports NATO and Ukraine. The influence campaign tactics include disinformation, propaganda, and supporting European agendas shaping public opinion. 

Romania’s Foreign Intelligence Service (SIE) believes Russia targeted the country as part of broader efforts to influence democratic elections in Eastern Europe. Moscow views Romania as an “enemy state” due to its support for NATO and Ukraine. These influence operations include propaganda, disinformation, and support for eurosceptic agendas, aiming to shape public opinion favoring Russia. 

While there is no concrete proof showing Russia’s direct involvement in Romanian elections, the declassified document suggests Russia’s history of election meddling in other places.

Read more »
Russia
China Cyber Attacks Hacking Netherlands Russia

Russia and China Up Their Cyberattacks on Dutch Infrastructure, Security Report Warns

 


Dutch security authorities have recorded growing cyber threats from state-affiliated Russian and Chinese hackers targeting organisations in the country. The attacks, mostly to gain access to the critical infrastructure, are seen as preparations for future sabotage and for gathering sensitive information, according to a recent report by the Dutch National Coordinator for Security and Counterterrorism (NCTV).


Rise of Non-State Hackers in Support of Government Agendas

The report says cyber attacks can no longer be considered the preserve of state actors: in fact, it turns out that non-state hackers in Russia and China increasingly are joining in. Of course, Russia: for some of the past year's cyber espionage and sabotage, hacktivists--independent hacking groups not officially communicating with the government are said to have conducted parts of this past year. At times, Russian state cyber actors work in conjunction with them, sometimes using their cover for their own operations, sometimes directing them to fit state goals.

China's cyber operations often combine state intelligence resources with academic and corporate collaborations. Sometimes, persons are performing dual roles: conducting research or scientific duties coupled with pushing forward China's intelligence goals. Such close cooperation treads the fine line between private and state operations, introducing an element of complexity to China's cyber strategy.


China's Advancing Sabotage Capabilities

For some years now, Chinese cyber campaigns focused on espionage, particularly those targeting the Netherlands and other allies, have been well known. Recent developments over the past year, however, have found China's cyber strategies getting broader in scope and quite sophisticated. The recent "Volt Typhoon" campaign, attributed to China, was an example of shifting toward actual sabotage, where critical U.S. infrastructure is the chief target. Although Europe is not currently under such threats from Volt Typhoon, the Netherlands remains vigilant based on China's rapid advancements in its cyber capabilities, which will potentially be implemented globally at a later stage.


Cyber/Disinformation Combined Threat

In the Netherlands, there is a national coordinator for security and counterterrorism, Pieter-Jaap Aalbersberg, who underscored that cyber threats frequently act as part of an integrated approach, which includes information operations. Coordinated actions are riskier because the cyber attack and digital influence operation come together to compromise security. Aalbersberg indicated that risks need to be balanced collectively, both from direct cyber threats and other consequences.


Recent Breach in Dutch Police Forces Concerns

Earlier this month, the Dutch national police announced a breach into officers' personal contact details with thousands of officers being involved, including names, telephone numbers, and email. The attackers behind this breach are unknown, although it is believed that this incident is "very likely" to be carried out by a state-sponsored group. Still, no country was indicated.

The Dutch government views such heightened cyber hostility as pushing a stronger defensive response from its measures about the cybersecurity fields, particularly since the threats from Russians and Chinese are still multiplying. This scenario now presents strong appeal in asking for added fortifications at international cooperation and greater action in stopping these mounting operations of said aggressive expansions through cyber warfare.


Read more »
Social Media
Cyber Fraud disinformation campaign Doppelgänger Fraudulent Sites Meta Russia Social Media

Russian Disinformation Network Struggles to Survive Crackdown


 

The Russian disinformation network, known as Doppelgänger, is facing difficulties as it attempts to secure its operations in response to increased efforts to shut it down. According to a recent report by the Bavarian State Office for the Protection of the Constitution (BayLfV), the network has been scrambling to protect its systems and data after its activities were exposed.

Doppelgänger’s Activities and Challenges

Doppelgänger has been active in spreading false information across Europe since at least May 2022. The network has created numerous fake social media accounts, fraudulent websites posing as reputable news sources, and its own fake news platforms. These activities have primarily targeted Germany, France, the United States, Ukraine, and Israel, aiming to mislead the public and spread disinformation.

BayLfV’s report indicates that Doppelgänger’s operators were forced to take immediate action to back up their systems and secure their operations after it was revealed that European hosting companies were unknowingly providing services to the network. The German agency monitored the network closely and discovered details about the working patterns of those involved, noting that they operated during Russian office hours and took breaks on Russian holidays.

Connections to Russia

Further investigation by BayLfV uncovered clear links between Doppelgänger and Russia. The network used Russian IP addresses and the Cyrillic alphabet in its operations, reinforcing its connection to the Kremlin. The network's activities were timed with Moscow and St. Petersburg working hours, further suggesting coordination with Russian time zones.

This crackdown comes after a joint investigation by digital rights groups Qurium and EU DisinfoLab, which exposed Doppelgänger's infrastructure spread across at least ten European countries. Although German authorities were aware of the network’s activities, they had not taken proper action until recently.

Social Media Giant Meta's Response

Facebook’s parent company, Meta, has been actively working to combat Doppelgänger’s influence on its platforms. Meta reported that the network has been forced to change its tactics due to ongoing enforcement efforts. Since May, Meta has removed over 5,000 accounts and pages linked to Doppelgänger, disrupting its operations.

In an attempt to avoid detection, Doppelgänger has shifted its focus to spoofing websites of nonpolitical and entertainment news outlets, such as Cosmopolitan and The New Yorker. However, Meta noted that most of these efforts are being caught quickly, either before they go live or shortly afterward, indicating that the network is struggling to maintain its previous level of influence.

Impact on Doppelgänger’s Operations

The pressure from law enforcement and social media platforms is clearly affecting Doppelgänger’s ability to operate. Meta highlighted that the quality of the network’s disinformation campaigns has declined as it struggles to adapt to the persistent enforcement. The goal is to continue increasing the cost of these operations for Doppelgänger, making it more difficult for the network to continue spreading false information.

This ongoing crackdown on Doppelgänger demonstrates the challenges in combating disinformation and the importance of coordinated efforts to protect the integrity of information in today’s digital environment


Read more »
Spear Phishing
Cyber Crime cyber espionage Hackers Russia Spear Phishing

Inside the Espionage: How Nobelium Targets French Diplomatic Staff


Cybersecurity threats have become increasingly sophisticated, and state-sponsored actors continue to target government institutions and diplomatic entities. One such incident involves a Russian threat actor known as “Nobelium,” which has been launching spear phishing attacks against French diplomats.

ANSSI Issued an Alert

France's cybersecurity agency, ANSSI, has issued a notice outlining a Russian spear phishing attempt aimed at French diplomats, the Record writes. The CIA connects the campaign to "Nobelium," a threat actor linked to Russia's Foreign Intelligence Service (SVR).

The Campaign

Nobelium, believed to have ties to Russia’s Foreign Intelligence Service (the SVR), primarily uses compromised legitimate email accounts belonging to diplomatic staff to conduct these attacks. The goal is to exfiltrate valuable intelligence and gain insights into French diplomatic activities.

Compromising Email Accounts of French Ministers

These events included the penetration of email accounts at the French Ministry of Culture and the National Agency for Territorial Cohesion, but according to ANSSI, the hackers were unable to access any elements of those networks other than the compromised inboxes.

However, the hackers subsequently used those email addresses to target other organizations, including France's Ministry of Foreign Affairs. ANSSI stated that Nobelium attempted to acquire remote access to the network by installing Cobalt Strike, a penetration testing system infamous for being abused by bad actors, but was unsuccessful.

Other occurrences reported by ANSSI included the use of a French diplomat's stolen email account to send a malicious message falsely proclaiming the closure of the French Embassy in South Africa due to an alleged terror assault.

Tactics and Techniques

Nobelium’s spear phishing campaigns are highly targeted. They craft convincing lure documents tailored to specific individuals within diplomatic institutions, embassies, and consulates. Here are some tactics and techniques they employ:

Email Spoofing: Nobelium impersonates trusted senders, often using official-looking email addresses. This makes it challenging for recipients to discern the malicious intent.

Lure Documents: The threat actor attaches seemingly innocuous files (such as PDFs or Word documents) to their emails. These files contain hidden malware or exploit vulnerabilities in software applications.

Social Engineering: Nobelium leverages social engineering techniques to manipulate recipients into opening the attachments. They might use urgent language, reference official matters, or create a sense of curiosity.

Credential Harvesting: Once the recipient opens the attachment, the malware may attempt to steal login credentials or gain unauthorized access to sensitive systems.

Read more »
Sandworm
cyber attack ICC Legal Implications Russia Sandworm

ICC Investigates Russian Cyberattacks on Ukraine as War Crimes

 



The International Criminal Court (ICC) is conducting an unprecedented investigation into alleged Russian cyberattacks on Ukrainian civilian infrastructure, considering them possible war crimes. This marks the first time international prosecutors have delved into cyber warfare, potentially leading to arrest warrants if sufficient evidence is gathered.

Prosecutors are examining cyberattacks on infrastructure that jeopardised lives by disrupting power and water supplies, cutting connections to emergency responders, or knocking out mobile data services that transmit air raid warnings. An official familiar with the case, who requested anonymity, confirmed the ICC's focus on cyberattacks since the onset of Russia’s full-scale invasion in February 2022. Additionally, sources close to the ICC prosecutor's office indicated that the investigation might extend back to 2015, following Russia's annexation of Crimea.

Ukraine is actively collaborating with ICC prosecutors, collecting evidence to support the investigation. While the ICC prosecutor's office has declined to comment on ongoing investigations, it has previously stated its jurisdiction to probe cybercrimes. The investigation could set a significant legal precedent, clarifying the application of international humanitarian law to cyber warfare.

Among the cyberattacks being investigated, at least four major attacks on energy infrastructure stand out. Sources identified the hacker group "Sandworm," believed to be linked to Russian military intelligence, as a primary suspect. Sandworm has been implicated in several high-profile cyberattacks, including a 2015 attack on Ukraine's power grid. Additionally, the activist hacker group "Solntsepyok," allegedly a front for Sandworm, claimed responsibility for a December 2022 attack on the Ukrainian mobile provider Kyivstar.

The investigation raises questions about whether cyberattacks can constitute war crimes under international law. The Geneva Conventions prohibit attacks on civilian objects, but there is no universally accepted definition of cyber war crimes. Legal scholars, through the Tallinn Manual, have attempted to outline the application of international law to cyber operations. Experts argue that the foreseeable consequences of cyberattacks, such as endangering civilian lives, could meet the criteria for war crimes.

If the ICC prosecutes these cyberattacks as war crimes, it would provide much-needed clarity on the legal status of cyber warfare. Professor Michael Schmitt of the University of Reading, a key figure in the Tallinn Manual process, believes that attacks like the one on Kyivstar meet the criteria for war crimes due to their foreseeable impact on human lives. Ukraine’s intelligence agency, the SBU, has provided detailed information about the incident to ICC investigators.

Russia, which is not an ICC member, has dismissed accusations of cyberattacks as attempts to incite anti-Russian sentiment. Despite this, the ICC has issued four arrest warrants against senior Russian figures since the invasion began, including President Vladimir Putin. Ukraine, while not an ICC member, has granted the court jurisdiction to prosecute crimes on its territory.

The ICC's probe into Russian cyberattacks on Ukrainian infrastructure could redefine the boundaries of international law in cyberspace. As the investigation unfolds, it may establish a precedent for holding perpetrators of cyber warfare accountable under international humanitarian law.


Read more »
unauthorized disclosures
China cyber attack Cyber Security cyber threat Data Breach data incidents government data breaches MoD data breaches Russia UK national security unauthorized disclosures

400% Increase in MoD Data Breaches Sparks Fears of Cyber Threats from Russia and China

 

Data breaches within the Ministry of Defence (MoD) have surged nearly fivefold over the past five years, raising concerns about the UK's resilience against cyber threats from nations like Russia and China. MoD figures reveal 550 data incidents last year, up from 117 in 2017-18.

Ministers also disclosed that the Information Commissioner’s Office (ICO) is currently investigating three personal data incidents at the MoD. Both the Conservative and Labour parties have prioritized national security in their election campaigns amid global instability and threats from Russia, China, North Korea, and Iran.

Recent warnings suggest the upcoming UK general election could be targeted by cyber attacks and AI deep fakes from hostile states. Many breaches involve unauthorized disclosures by MoD staff, exacerbating concerns about security in a department recently hit by a suspected Chinese cyber attack.

Labour criticized the Conservative government for its “lax approach to cyber security,” promising that a Keir Starmer administration would prioritize the UK's security. However, Prime Minister Rishi Sunak countered by questioning Labour’s national security stance, highlighting Starmer’s past support for Jeremy Corbyn as a potential risk.

Earlier this month, it was revealed that the MoD’s payroll system, managed by contractor SSCL, suffered a major hack attributed to China. Deputy Prime Minister Oliver Dowden, in a letter to shadow Cabinet Office minister Pat McFadden, stated that the Government has enhanced security measures in its procurement processes following this breach.

In 2017-18, the MoD reported 117 data breaches, including unauthorized disclosures, lost equipment or documents, and insecure document disposal. By 2022-23, breaches had risen to 550, with unauthorized disclosures making up the majority. In 2023, the ICO fined the MoD £350,000 after 265 individuals' details were compromised in email breaches following the Taliban’s takeover of Afghanistan.

Defence Minister Andrew Murrison recently confirmed that the ICO has three ongoing investigations into personal data incidents at the MoD. Shadow Defence Secretary John Healey criticized the MoD’s worsening data security record, noting that breaches have tripled over five years, and vowed that a Labour government would enhance the UK’s cyber-security.

Defence Secretary Grant Shapps announced an urgent investigation into the recent MoD payroll cyber attack and a broader review of SSCL’s contracts with the MoD and other Whitehall departments. Dowden emphasized the importance of strengthening domestic cyber resilience to achieve national and international security goals. The Cabinet Office has implemented measures to ensure robust data security requirements in procurement contracts with third-party contractors across Whitehall.
Read more »
Ukraine
APT44 Cyber Attacks Russia Sandworm Ukraine

APT44: Unearthing Sandworm - A Cyber Threat Beyond Borders


APT44: Operations Against Ukraine

A hacking group responsible for cyberattacks on water systems in the United States, Poland, and France is linked to the Russian military, according to a cybersecurity firm, indicating that Moscow may escalate its efforts to target opponents' infrastructure.

Sandworm has long been known as Unit 74455 of Russia's GRU military intelligence organization, and it has been linked to attacks on Ukrainian telecom providers as well as the NotPetya malware campaign, which damaged companies worldwide.

Global Scope

Researchers at Mandiant, a security business owned by Google Cloud, discovered that Sandworm appears to have a direct link to multiple pro-Russia hacktivist organizations. Mandiant believes Sandworm can "direct and influence" the activities of Russia's Cyber Army.

One of them is the Cyber Army of Russia Reborn (CARR), also known as the Cyber Army of Russia, which has claimed responsibility for cyberattacks against water infrastructure this year.

One attack occurred in Muleshoe, Texas, causing a water tower to overflow and spilling tens of thousands of gallons of water down the street.

Ramon Sanchez, the city's manager, told The Washington Post that the password for the system's control system interface had been compromised, adding, "You don't think that's going to happen to you." Around the same time, two additional north Texas communities, Abernathy and Hale Center, discovered hostile activity on their networks.

Mapping APT44

1. The Rise of APT44

APT44 is not your run-of-the-mill hacking group. It operates with surgical precision, blending espionage, sabotage, and influence operations into a seamless playbook. Unlike specialized units, APT44 is a jack-of-all-trades, capable of infiltrating networks, manipulating information, and disrupting critical infrastructure.

2. Sabotage in Ukraine

Ukraine has borne the brunt of APT44’s wrath. The group’s aggressive cyber sabotage tactics have targeted critical sectors, including energy and transportation. Their weapon of choice? Wiper malware that erases data and cripples systems. These attacks often coincide with conventional military offensives, amplifying their impact.

3. A Global Threat

But APT44’s reach extends far beyond Ukraine’s borders. It operates in geopolitical hotspots, aligning its actions with Russia’s strategic interests. As the world gears up for national elections, APT44’s interference attempts pose a grave threat. Imagine a digital hand tampering with the scales of democracy.

4. Graduation to APT44

Mandiant has officially christened Sandworm as APT44. This isn’t just a name change; it’s a recognition of the group’s maturity and menace. The report provides insights into APT44’s new operations, retrospective analysis, and context. Organizations must heed the warning signs and fortify their defenses.

Read more »
Russia
Anti Kremlin Data Breach Data Leak Hacktivist group Russia

Navalny's Revenge? Hackers Siphon Huge Russian Prisoner Database: Report

 

Following the murder of Russian opposition leader Alexey Navalny, anti-Kremlin militants seized a database comprising hundreds of thousands of Russian prisoners and hacked into a government-run online marketplace, according to a report. 

Navalny was the most prominent Russian opposition figure and a strong critic of Russian President Vladimir Putin. He died on February 16 at a penal colony in Russia's Arctic region while serving his jail sentence. 

CNN reported that an international group of 'hactivists', comprising Russian expats and Ukrainians, stole prison documents and hacked into the marketplace by acquiring access to a computer linked to the Russian prison system. 

Following Navalny's death in February, overseas 'hactivists' allegedly acquired a Russian database containing hundreds of thousands of convicts, relatives, and contacts. 

As per the report, the hackers also targeted the jail system's online marketplace, where relatives of inmates purchase meals for their family members. The rate of products like noodles and canned meat was changed by the hackers from nearly $1 to $.01 once they gained access to the marketplace.

It took many hours for the administrators of the prison system to realise that something was wrong, and it took an additional three days to undo the hacker's work completely. 

The hackers also posted a photo of Navalny and his wife, Yulia Navalnaya, on the jail contractor's website, along with the statement "Long live Alexey Navalny". While the hackers claimed the database included information on approximately 800,000 prisoners, the report said there were some duplicate entries, but the data spilt by the hackers "still contains details on hundreds of thousands of inmates". 

What is 'hacktivism' and why did hackers siphon Russian databases? 

The terms "hacking" and "activism" are combined to form the phrase "hacktivism." It alludes to hacking operations in which hackers participate in activism for a specific cause. 

According to Clare Stouffer of the cybersecurity company Norton, hacktivism is a lot like activism in the real world, when activists create disruption to push for the change they want.

"With hacktivism, the disruption is fully online and typically carried out anonymously. "While not all hacktivists have malicious intent, their attacks can have real-world consequences," Stouffer wrote in a Norton blog.
Read more »
Ukraine-Russia War
British Cyber Attacks Killnet Royal Family Russia Ukraine Ukraine-Russia War

Royal Family’s Official Website Suffers Cyberattack, Following Remarks on Russia


The British Royal Family’s official website is suffering a cyberattack, following UK’s support for Ukraine that went public. A DoS attack, which is brought on by an influx of unnecessary traffic, caused the Royal Family website to be unavailable for an hour and a half on Sunday morning. An 'error' notice would have been displayed to anyone attempting to visit the site at this time, but by early afternoon it was fully working once more.

While Buckingham Palace insiders claim that it is impossible to determine who was behind the attack at this time, the pro-Kremlin group Killnet has taken responsibility for it in a message posted on the social media site Telegram. The 'Five Eye Alliance' (an intelligence alliance made up of the UK, the US, Canada, Australia, and New Zealand) has previously identified the group as a significant cyber-security threat, and the US Department of Health has previously noted that Killnet has made a number of threats to organizations, including the NHS.

Thankfully, the DoS attack on the royal family website only caused service disruption. No privileged information was accessed, and no control over the website was obtained. These kinds of attacks tend to be more disruptive than damaging, but they can still bring down websites, which can be disastrous in some circumstances.

However, this was not the first the royal family had suffered a cyberattack. The website was also taken down in November 2022 by Killnet, and the Met Police foiled a cyber plot to interrupt the royal wedding of the current Prince and Princess of Wales in 2011.

For many years, but particularly since the Ukraine war, there has been a looming threat of a cyberattack by Russia or by organizations that support Russia. Oliver Dowden, the deputy prime minister, stated at the April Cyber UK conference in Belfast that these attacks may now be motivated by "ideology." The royal family has consistently shown its support for the Ukrainian people. The Princess of Wales met privately with the First Lady of Ukraine in September of last year, and this year, the Prince of Wales paid a visit to Ukrainian troops stationed near the border. In February, King Charles convened meetings with President Zelensky at Buckingham Palace.

The attack came to light only two weeks after King Charles made a public remark over the war, in his speech on the royal visit to Paris. In his comment, he mentioned Russia’s ‘unprovoked aggression’ and said that ‘Ukraine must prevail.’  

Read more »
US Military
Cyber Security Data Leak Email Account Compromise Mali Private Data Russia US Military

Typo Delivers Millions of US Military Emails to Russia's Ally Mali

 

Due to a small typing error, millions of emails from the US military were unintentionally forwarded to Mali, a Russian ally. For years, emails meant for the US military's ".mil" domain have been transmitted to the west African nation with the ".ml" extension. 

According to reports, some of the emails contained private information including passwords, medical information, and high officers' travel schedules. The Pentagon claimed to have taken action to resolve the situation.

The Financial Times, which broke the story, claims that Dutch internet entrepreneur Johannes Zuurbier discovered the issue more than ten years ago. He has held a contract to handle Mali's national domain since 2013 and has apparently collected tens of thousands of misdirected emails in recent months. 

None were tagged as classified, but they included medical data, maps of US military bases, financial records, and planning documents for official trips, as well as some diplomatic letters, according to the newspaper. 

This month, Mr Zuurbier issued a letter to US officials to raise the alarm. He stated that his contract with the Mali government was about to expire, implying that "the risk is real and could be exploited by US adversaries." On Monday, Mali's military administration was set to take control of the domain.

According to current and former US officials, "classified" and "top secret" US military communications are routed through separate IT networks, making it unlikely that they will be accidentally compromised. 

However, Steven Stransky, a lawyer who previously served as senior counsel to the Department of Homeland Security's Intelligence Law Division, believes that even seemingly innocuous material could be beneficial to US adversaries, especially if it includes specifics on individual employees. 

"Those sorts of communications would mean that a foreign actor can start building dossiers on our own military personnel, for espionage purposes, or could try to get them to disclose information in exchange for financial benefit," Mr Stransky explained. "It's certainly information that a foreign government can use." 

Lee McKnight, a Syracuse University professor of information studies, believes the US military was lucky that the issue was brought to its attention and that the emails were directed to a domain used by Mali's government rather than cyber criminals.


He went on to say that "typo-squatting" - a sort of cybercrime that targets individuals who misspell an internet domain - is rampant. "They're hoping that a person will make a mistake, and that they can lure you in and make you do stupid things," he noted. 

Both Mr. McKnight and Mr. Stransky believes that human errors are a major concern for IT professionals working in government and the private sector alike.
Read more »
Satellite
Data Breach Military PCMag Phishing Attack Russia Satellite

Wagner Hackers Disrupt Russian Satellite Internet Provider

 

In an unexpected turn of events, a hacker group claiming to be connected to Wagner, a Russian paramilitary outfit, has taken credit for taking down a significant Russian satellite internet provider. Critical satellite communication systems' security and stability have come under scrutiny following the event.
According to reports from reputable sources like PCMag, Datacenter Dynamics, and OODA Loop, the incident occurred on June 30, 2023. The group, identified as "Vx_Herm1t" on Twitter, announced their successful cyber attack against the Russian telecom satellite operated by the company Dozer. The tweet has since been taken down, but the repercussions of the attack are still being felt.

The disruption of a satellite internet provider has significant implications for both communication and national security. Satellite-based communication is vital for remote and hard-to-reach regions, providing essential connectivity for businesses, government agencies, and individuals. Any interference with these systems can lead to disruptions in critical services, affecting everything from emergency response operations to financial transactions.

Although the motivation behind the attack is not explicitly stated, the alleged affiliation with Wagner, known for its involvement in military and political activities, raises concerns about potential political or strategic motives behind the cyber attack. The incident comes amid growing tensions in cyberspace, where state and non-state actors are increasingly using sophisticated cyber methods to further their agendas.

The attack also serves as a stark reminder of the vulnerability of satellite communication infrastructure. As the world becomes more reliant on space-based technologies, the risk of cyber attacks targeting satellites and space systems is becoming a pressing concern. Safeguarding these assets is crucial for maintaining uninterrupted communication and preserving national security interests.

Russian authorities and international cybersecurity organizations are probably looking into the attack as a result of the incident to determine where it came from and stop similar attacks in the future. The international community will be watching the issue closely as it develops to understand the broader consequences of this cyberattack on international cyber norms and state-sponsored cyber operations.

Right now, the priority is on restoring the interrupted satellite services and enhancing the systems' resistance to future intrusions. The incident highlights the urgent requirement for strong cybersecurity measures and global collaboration to preserve crucial space infrastructure and maintain the dependability of international communication networks.

Read more »
Wagner ransomware
cyber attack Cyber Attacks Ransomware Russia Wagner ransomware

Wagner' Ransomware Targets Computers in Russia

A recent ransomware attack has been uncovered by security researchers, revealing a peculiar motive. The attackers behind this ransomware campaign are seemingly attempting to promote recruitment for the Russian mercenary group known as Wagner. 

Notably, Wagner had a brief period of rebellion against the Kremlin over the past weekend. The ransomware specifically targets Windows PCs and includes a note that subtly suggests victims should contemplate joining the paramilitary organization. 

This discovery was made by the cybersecurity company Cyble. Additionally, security experts have found that the ransomware note, which encourages recruitment for the Russian mercenary group Wagner, is written in the Russian language. This indicates that the ransomware campaign was primarily intended to target computers within the country. 

 Cyble became aware of the attack after detecting a sample of the ransomware uploaded to VirusTotal by a user based in Russia. The ransomware note also includes a legitimate phone number for Wagner's recruitment offices in Moscow, accompanied by the provocative phrase, "If you want to go against the officials!" Over the past weekend, a significant development unfolded alongside the activities of the Russian paramilitary group Wagner. 

During this time, Yevgeny Prigozhin, the leader of Wagner, issued orders for his troops to march towards Moscow, aiming to remove Shoigu from Russia's Ministry of Defense. However, Prigozhin abruptly called off the armed revolt and instead accepted a deal that would effectively exile him to Belarus. 

Interestingly, amidst these events, a ransomware incident emerged, raising questions about its creators. Notably, Wagner has not claimed responsibility for the malicious code. The investigation indicates that the ransomware attack was crafted using the Chaos ransomware building tool, which originally surfaced in underground forums. 

The exact origins and motives behind the attack remain uncertain. While there are speculations about the motives behind the ransomware strain, with some suggesting a potential political agenda in support of Wagner Group, security researcher Allan Liska from Recorded Future offers an alternative perspective. 

Liska suspects that the true intent behind the attack may differ from initial assumptions. “Installing a ransomware/wiper on someone's machine is a poor way to recruit them. On the other hand, if you are a hacktivist group, say one that has used ransomware based on the Chaos builder in the past, that wants to get people mad at a certain group, this is a good way to do it,” Liska said in a tweet.
Read more »
Russia
cyber attack Cyber Attacks Data Theft Microsoft online heft Russia

Hackers Hit Microsoft For Sudan Experts Says Its Russia

 

In recent events, Microsoft experienced a series of outages earlier this month, which have been attributed to a hacking group. This group had been engaged in a string of attacks on various targets, including Israel, Sweden, and several other nations. Cybersecurity researchers have identified a growing campaign associated with these attacks, which they believe may be linked to Russia. 

A newly emerged group known as Anonymous Sudan, which became active in January 2023, has recently taken responsibility for a series of distributed denial-of-service (DDoS) attacks targeting Australian companies. These attacks have affected various sectors, including healthcare, aviation, and education organizations. 

In a recent statement, Microsoft officially acknowledged that the disruptions experienced by its Outlook service in early June were caused by a DDoS attack. Anonymous Sudan has claimed responsibility for this particular attack and publicly attributed it to their group. 

Identifying themselves as a loosely organized collective of hacktivists, the group adopted a name that implied their association with Sudan. They explicitly stated their intention to focus on Australian organizations in March, citing their objection to attire exhibited at a fashion festival in Melbourne. The clothing in question featured Arabic text reading "God walks with me." 

According to cybersecurity experts, it has been determined that the group operating under the name "Anonymous Sudan" is believed to originate from Russia. Their motives and objectives differ significantly from what they claim, as their true purpose appears to be aligned with advancing Moscow's agenda. 

By leveraging their supposed Islamic affiliations, the group aims to advocate for enhanced collaboration between Russia and the Islamic world, often asserting Russia's support for Muslims. This strategic positioning allows them to serve as a convenient proxy for advancing Russian interests, as stated by Mattias Wåhlén, a threat intelligence specialist at Truesec, based in Stockholm. 

In response to inquiries, a spokesperson representing Anonymous Sudan refuted any claims of acting on behalf of Russia while affirming shared interests. The spokesperson clarified that the group targets entities deemed antagonistic towards Islam, emphasizing that any country considered hostile to Islam is also regarded as hostile to Russia.
Read more »
Subscribe to: Posts (Atom)