Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ukraine. Show all posts

Ukraine Faces New Phishing Campaign Targeting Government Computers, Warns CERT

Ukraine Faces New Phishing Campaign Targeting Government Computers

The  CERT-UA (Computer Emergency Response Team of Ukraine) has issued a warning about a sophisticated phishing campaign targeting Ukrainian government computers. This campaign, which began in July 2024, has already compromised over 100 government systems, posing a significant threat to national security and data integrity.

The attackers behind this campaign are impersonating the Security Service of Ukraine (SSU), a tactic designed to exploit the trust and authority associated with this organization. By doing so, they aim to deceive recipients into believing that the phishing emails are legitimate and urgent. This method of social engineering is particularly effective in high-stakes environments where quick responses are often required.

The phishing emails contain a ZIP file attachment, which, when opened, reveals an MSI installer. This installer is loaded with a malware strain known as ANONVNC. Once installed, ANONVNC provides the attackers with remote desktop access to the infected computers. This level of access allows them to monitor activities, steal sensitive information, and potentially disrupt operations.

The Mechanics of the Attack

The phishing emails are crafted to appear as official communications from the SSU. They often contain subject lines and content that create a sense of urgency, prompting the recipient to open the attachment without due diligence. Once the ZIP file is opened and the MSI installer is executed, the ANONVNC malware is deployed.

ANONVNC is a remote access tool (RAT) that enables the attackers to take control of the infected computer. This includes the ability to view the screen, access files, and execute commands. The malware operates stealthily, making it difficult for users to detect its presence. This allows the attackers to maintain prolonged access to the compromised systems, increasing the potential for data theft and other malicious activities.

Broader Implications

By targeting government computers, the attackers are not only seeking to steal sensitive information but also to undermine the operational integrity of Ukrainian governmental functions. This can have a cascading effect, potentially disrupting public services and eroding trust in governmental institutions.

Moreover, the use of ANONVNC as the malware of choice highlights the evolving nature of cyber threats. Remote access tools are becoming increasingly sophisticated, enabling attackers to carry out complex operations with relative ease. This underscores the need for robust cybersecurity measures and continuous vigilance.

APT44: Unearthing Sandworm - A Cyber Threat Beyond Borders


APT44: Operations Against Ukraine

A hacking group responsible for cyberattacks on water systems in the United States, Poland, and France is linked to the Russian military, according to a cybersecurity firm, indicating that Moscow may escalate its efforts to target opponents' infrastructure.

Sandworm has long been known as Unit 74455 of Russia's GRU military intelligence organization, and it has been linked to attacks on Ukrainian telecom providers as well as the NotPetya malware campaign, which damaged companies worldwide.

Global Scope

Researchers at Mandiant, a security business owned by Google Cloud, discovered that Sandworm appears to have a direct link to multiple pro-Russia hacktivist organizations. Mandiant believes Sandworm can "direct and influence" the activities of Russia's Cyber Army.

One of them is the Cyber Army of Russia Reborn (CARR), also known as the Cyber Army of Russia, which has claimed responsibility for cyberattacks against water infrastructure this year.

One attack occurred in Muleshoe, Texas, causing a water tower to overflow and spilling tens of thousands of gallons of water down the street.

Ramon Sanchez, the city's manager, told The Washington Post that the password for the system's control system interface had been compromised, adding, "You don't think that's going to happen to you." Around the same time, two additional north Texas communities, Abernathy and Hale Center, discovered hostile activity on their networks.

Mapping APT44

1. The Rise of APT44

APT44 is not your run-of-the-mill hacking group. It operates with surgical precision, blending espionage, sabotage, and influence operations into a seamless playbook. Unlike specialized units, APT44 is a jack-of-all-trades, capable of infiltrating networks, manipulating information, and disrupting critical infrastructure.

2. Sabotage in Ukraine

Ukraine has borne the brunt of APT44’s wrath. The group’s aggressive cyber sabotage tactics have targeted critical sectors, including energy and transportation. Their weapon of choice? Wiper malware that erases data and cripples systems. These attacks often coincide with conventional military offensives, amplifying their impact.

3. A Global Threat

But APT44’s reach extends far beyond Ukraine’s borders. It operates in geopolitical hotspots, aligning its actions with Russia’s strategic interests. As the world gears up for national elections, APT44’s interference attempts pose a grave threat. Imagine a digital hand tampering with the scales of democracy.

4. Graduation to APT44

Mandiant has officially christened Sandworm as APT44. This isn’t just a name change; it’s a recognition of the group’s maturity and menace. The report provides insights into APT44’s new operations, retrospective analysis, and context. Organizations must heed the warning signs and fortify their defenses.

GPS Warfare: Ukraine-Israel Tensions Raise Alarms

GPS is used for navigation in almost every device in this age of rapid technological development. Israel may have been involved in recent GPS jamming and spoofing occurrences in Ukraine, according to reports that have revealed a worrying trend. These accidents constitute a serious threat to the worldwide aviation sector and a topic of regional concern. 

The New York Times recently reported on the growing instances of GPS disruptions in Ukraine, shedding light on the potential involvement of Israeli technology. According to the report, Israel has been accused of jamming and spoofing GPS signals in the region, causing disruptions to navigation systems. The motives behind such actions remain unclear, raising questions about the broader implications of electronic warfare on international relations. 

The aviation sector heavily relies on GPS for precise navigation, making any interference with these systems potentially catastrophic. GPS jamming and spoofing not only endanger flight safety but also have the capacity to disrupt air traffic control systems, creating chaos in the skies.

The aviation industry relies heavily on GPS for precision navigation, and any interference with these systems can have dire consequences. GPS jamming and spoofing not only jeopardize the safety of flights but also can potentially disrupt air traffic control systems, leading to chaos in the skies.

The implications of these incidents extend beyond the borders of Ukraine and Israel. As the world becomes increasingly interconnected, disruptions in one region can reverberate globally. The international community must address the issue promptly to prevent further escalations and ensure the safe operation of air travel.

Governments, aviation authorities, and technology experts need to collaborate to develop countermeasures against GPS interference. Strengthening cybersecurity protocols and investing in advanced technologies to detect and mitigate electronic warfare threats should be a priority for nations worldwide.

Preserving vital infrastructure, like GPS systems, becomes crucial as we manoeuvre through the complexity of a networked world. The GPS jamming events between Israel and Ukraine serve as a sobering reminder of the gaps in our technology and the urgent necessity for global cooperation to counter new threats in the digital era.

APT29 Strikes: WinRAR Exploits in Embassy Cyber Attacks

During the latest wave of cyberattacks, foreign embassies have been the target of a malicious group known as APT29. They have employed a highly complex attack method that takes advantage of weaknesses in WinRAR, a widely used file compression software. There have been shockwaves throughout the cybersecurity world due to this worrisome disclosure, leading to immediate action to strengthen digital defenses.

According to reports from cybersecurity experts, APT29 has ingeniously employed the NGROK feature in conjunction with a WinRAR exploit to infiltrate embassy networks. The NGROK service, designed for secure tunneling to localhost, has been repurposed by hackers to conceal their malicious activities, making detection and attribution a formidable challenge.

WinRAR, a widely used application for compressing and decompressing files, has been targeted due to a specific vulnerability, identified as CVE-2023-38831. This flaw allows the attackers to execute arbitrary code on the targeted systems, giving them unfettered access to sensitive information stored within embassy networks.

The attacks, initially discovered by cybersecurity researchers, have been corroborated by the Ukrainian National Security and Defense Council (RNBO). Their November report outlines the APT29 campaigns, shedding light on the extent of the damage inflicted by these cyber intruders.

The fact that foreign embassies are specifically being targeted by this onslaught is very disturbing. Because these organizations handle so much private, political, and diplomatic data, they are often the focus of state-sponsored cyber espionage. The attackers' capacity to take advantage of flaws in popular software, such as WinRAR, emphasizes the necessity of constant watchfulness and timely software updates to reduce any threats.

Cybersecurity professionals advise companies, particularly those in delicate industries like diplomacy, to conduct extensive security assessments, quickly fix holes, and strengthen their defenses against ever-evolving cyber attacks in reaction to these disclosures. The APT29 attacks highlight the significance of a multi-pronged cybersecurity strategy that incorporates advanced threat detection methods, personnel awareness training, and strong software security procedures.

International cybersecurity organizations must work together as governments struggle with the ever-changing world of cyber threats. The APT29 attacks are a sobering reminder that the digital sphere has turned into a combat zone and that, in order to preserve diplomatic relations and maintain national interests, defense against such threats necessitates a united front.

Russian Hackers Target Ukraine's Fighter Jet Supplier

 

A cyberattack on a Ukrainian fighter aircraft supplier has been reported, raising concerns about whether cybersecurity risks in the region are increasing. The incident—attributed to Russian hackers—highlights the need to have robust cyber defense strategies in a world where everything is connected.

According to a recent article in The Telegraph,  the cyber attack targeted Ukraine's key supplier for fighter jets. The attackers, suspected to have ties to Russian cyber espionage, aimed to compromise sensitive information related to defense capabilities. Such incidents have far-reaching consequences, as they not only threaten national security but also highlight the vulnerability of critical infrastructure to sophisticated cyber threats.

Yahoo News further reports that Ukrainian cyber defense officials are actively responding to the attack, emphasizing the need for a proactive and resilient cybersecurity framework. The involvement of top Ukrainian cyber defense officials indicates the gravity of the situation and the concerted efforts being made to mitigate potential damage. Cybersecurity has become a top priority for nations globally, with the constant evolution of cyber threats necessitating swift and effective countermeasures.

The attack on the fighter jet supplier raises questions about the motivations behind such cyber intrusions. In the context of geopolitical tensions, cyber warfare has become a tool for state-sponsored actors to exert influence and gather intelligence. The incident reinforces the need for nations to bolster their cyber defenses and collaborate on international efforts to combat cyber threats.

As technology continues to advance, the interconnectedness of critical systems poses a challenge for governments and organizations worldwide. The Telegraph's report highlights the urgency for nations to invest in cybersecurity infrastructure, adopt best practices, and foster international cooperation to tackle the escalating threat landscape.

The cyberattack on the supplier of fighter jets to Ukraine is an alarming indicator of how constantly changing the dangers to global security are. For countries to survive in the increasingly digital world, bolstering cybersecurity protocols is critical. The event emphasizes the necessity of a proactive approach to cybersecurity, where cooperation and information exchange are essential components in preventing cyberattacks by state-sponsored actors.

Royal Family’s Official Website Suffers Cyberattack, Following Remarks on Russia


The British Royal Family’s official website is suffering a cyberattack, following UK’s support for Ukraine that went public. A DoS attack, which is brought on by an influx of unnecessary traffic, caused the Royal Family website to be unavailable for an hour and a half on Sunday morning. An 'error' notice would have been displayed to anyone attempting to visit the site at this time, but by early afternoon it was fully working once more.

While Buckingham Palace insiders claim that it is impossible to determine who was behind the attack at this time, the pro-Kremlin group Killnet has taken responsibility for it in a message posted on the social media site Telegram. The 'Five Eye Alliance' (an intelligence alliance made up of the UK, the US, Canada, Australia, and New Zealand) has previously identified the group as a significant cyber-security threat, and the US Department of Health has previously noted that Killnet has made a number of threats to organizations, including the NHS.

Thankfully, the DoS attack on the royal family website only caused service disruption. No privileged information was accessed, and no control over the website was obtained. These kinds of attacks tend to be more disruptive than damaging, but they can still bring down websites, which can be disastrous in some circumstances.

However, this was not the first the royal family had suffered a cyberattack. The website was also taken down in November 2022 by Killnet, and the Met Police foiled a cyber plot to interrupt the royal wedding of the current Prince and Princess of Wales in 2011.

For many years, but particularly since the Ukraine war, there has been a looming threat of a cyberattack by Russia or by organizations that support Russia. Oliver Dowden, the deputy prime minister, stated at the April Cyber UK conference in Belfast that these attacks may now be motivated by "ideology." The royal family has consistently shown its support for the Ukrainian people. The Princess of Wales met privately with the First Lady of Ukraine in September of last year, and this year, the Prince of Wales paid a visit to Ukrainian troops stationed near the border. In February, King Charles convened meetings with President Zelensky at Buckingham Palace.

The attack came to light only two weeks after King Charles made a public remark over the war, in his speech on the royal visit to Paris. In his comment, he mentioned Russia’s ‘unprovoked aggression’ and said that ‘Ukraine must prevail.’  

SolarWinds Hackers Dangle BMWs to Eavesdrop on Diplomats

 

The Russia-backed group responsible for the SolarWinds attack, known as Cloaked Ursa or Nobelium/APT29, has shifted its tactics and is now targeting foreign diplomats working at embassies in Ukraine. Instead of using traditional political lures, the group is employing more personalized approaches to entice victims into clicking on malicious links.

Researchers from Palo Alto Networks' Unit 42 have been monitoring the activities of Cloaked Ursa and discovered that the initial lure in the campaign involved a legitimate flyer advertising the sale of a used BMW sedan in Kyiv. The flyer, which was originally shared by a diplomat within the Polish Ministry of Foreign Affairs, caught the attention of potential victims, particularly new arrivals to the region. 

Exploiting this opportunity, Cloaked Ursa created a counterfeit version of the flyer and sent it to multiple diplomatic missions as a bait for their malware campaign. The malicious message contained a link that promised additional photos of the car, but instead, it executed malware in the background when clicked.

The malware payload used by Cloaked Ursa is JavaScript-based and provides the attackers with a backdoor into the victim's system, enabling them to load further malicious code through a command-and-control connection. 

The group meticulously compiled its target list, using publicly available embassy email addresses for 80% of the victims and unpublished email addresses for the remaining 20%. This deliberate selection aimed to maximize their access to desired networks.

While the researchers observed the campaign being conducted against 22 out of the 80 foreign missions in Ukraine, they suspect that the actual number of targets is higher. The extensive scope of the attacks is remarkable for operations that are typically secretive and narrowly focused.

In a strategic shift, Cloaked Ursa has moved away from using job-related topics as bait and instead crafted lures that appeal to recipients' personal interests and desires. This change aims to increase the campaign's success rate by compromising not only the initial targets but also others within the same organization, extending its reach. 

The researchers noted that these unconventional lures have broad applicability across the diplomatic community and are more likely to be forwarded to other individuals within and outside the organization.

Cloaked Ursa, also known as Nobelium/APT29, is a state-sponsored group associated with Russia's Foreign Intelligence Service (SVR). The group gained notoriety for the SolarWinds attack, which involved a backdoor discovered in December 2020 and affected approximately 18,000 organizations through infected software updates.

Since then, the group has remained active, targeting foreign ministries, diplomats, and the US government, exhibiting sophistication in both tactics and custom malware development.

To mitigate APT cyberattacks like those conducted by Cloaked Ursa, the researchers provided some recommendations for diplomatic personnel. They advised administrators to educate newly assigned diplomats about cybersecurity threats specific to the region before their arrival. 

Additionally, individuals should exercise caution when downloading files, even from seemingly legitimate sources, and be vigilant about URL redirection when using URL-shortening services, as this could be indicative of a phishing attack. Verifying file extension types and avoiding files with mismatched or obfuscated extensions is crucial to prevent falling victim to phishing attempts. 

Finally, the researchers suggested that diplomatic employees disable JavaScript as a preventive measure, rendering JavaScript-based malware unable to execute.

A US Cyber Team's Perspective on US Military Cyber Defense of Ukraine

 


Despite analysts' numerous predictions, Russia could not destroy Ukraine's computer systems in this year's invasion with a massive cyber-attack. This may be because an unknown US military branch hunts down rivals online to enforce their interests. To cover these global missions, the BBC was granted exclusive access to the cyber-operators who carried them out. 

The US military landed in Ukraine in December last year on a recon mission led by a young major who led a small team. There were plans to deploy more troops ahead of this deployment. 

On Thursday, the Ukrainian government's premier counterintelligence and law enforcement agency revealed the real identities of five individuals allegedly involved in cyber-espionage activities attributed to the Gamaredon cyber-espionage group. According to the agency, these members are connected to the Russian Federal Security Service (FSB). 

It has been apparent in recent months that Gamaredon is very active in the threat actor community. When you open Twitter and type in #Gamaredon, you'll find several tweets a week with updated information on the IOC and samples it has created. 

Gamaredon Group is another advanced persistent threat (APT) group targeting the Ukrainian government today. It is also known as Shuckworm, Iron Tilden, Primitive Bear, Winter Flounder, and Accinium. 

A common attack tool is phishing emails with attachments of Microsoft Office documents. These emails can be used to gain access to the victim's system through initial attacks using phishing emails. 

In recent months, there have been reports of Russian troops amassing along the Ukrainian border, raising fears of war breaking out. As much as Russia denies any plans to invade, it demands sweeping security guarantees, including a guarantee that NATO will never admit the Ukrainians to NATO. 

The Ukrainian security services, who believed that the act of terrorism had been committed by officers of the Russian Federal Security Service from Crimea, publicly attributed the act of terrorism to Gamaredon in November. An online comment request was sent to the Russian Embassy in Washington regarding Gameredon; however, there was no immediate response from the Russian Embassy. 

A spokesperson for Ukraine's Security Service (SSU) said in a statement today that the hacker group had been depicted as "an FSB special project that specifically targeted Ukraine," at the same time confirming that many of the perpetrators of the hack were "Crimean FSB officers and traitors who defected to the enemy during the occupation of the peninsula in 2014." 

According to the country's authorities, over 1,500 government entities, public entities, and private enterprises have been targeted by actors in the past seven years in Ukraine. This group aims to gather intelligence, disrupt operations, and take control of critical infrastructure facilities to collect critical data. 

Between 2020 and the present, Malwarebytes has identified five operations that have taken place. They were victims of armed clashes between Russian-aligned individuals and Ukrainian citizens who had taken part in the discredited referendums called for by Moscow on September 2022. These referendums were called for in the Ukrainian territories of Luhansk, Donetsk, Zaporizhzhia, and Kherson. In the Dnepropetrovsk, Lugansk, and Crimea regions, there has been a massive outbreak of infections in state, agricultural, and transportation ministries. 

Ukrainian intelligence agencies track Armageddon, a threat group that launched the attacks, as responsible for the attacks. While it is known by the names Gamaredon, Primitive Bear, Winterflounder, BlueAlpha, Blue Otso, Iron Tilden, and Sector C08 in the cybersecurity community, it operates by many other names as well. 

Several campaigns in eastern Ukraine involved Malwarebyte attackers exfiltrating snapshots, USB flash drives, keyboard strokes, and microphone recordings, depending on the campaign. 

On Wednesday, Anne Neuberger, a White House cyber official, said Russia could destabilize and invade Ukraine using cyberattacks. 

In early 2013, it appeared that Russia had sponsored the Gamaredon Group, which is a misspelled anagram of the word "armageddon" and has been sporadically perpetrating cyberattacks on Ukrainian military, government, and non-profit organizations since then. 

Threat actors leverage legitimate Microsoft® Office documents to inject remote templates into legitimate Microsoft® Office documents. The technique works even when Microsoft® Word security features have been turned on. There is a way to bypass Microsoft Word macro protections, which are designed to prevent attackers from compromising sensitive systems with malware, infecting them with the infection, accessing the data, and then spreading the infection to other systems.

Genesis Market: The Fall of a Cybercrime Website

Law enforcement agencies worldwide have dealt a blow to the criminal underworld with the takedown of Genesis Market, a notorious website used to buy and sell stolen data, hacking tools, and other illicit goods and services. The investigation involved coordinated efforts by the FBI, UK National Crime Agency, Dutch Police, Europol, and other partners.

According to BBC News, Genesis Market had over 500,000 users and 250 vendors, with estimated earnings of $1 billion. The site operated on the dark web, using sophisticated encryption and anonymity technologies to evade detection. However, its operators made a critical mistake by reusing passwords and allowing law enforcement to seize control of the domain.

The shutdown of Genesis Market is a significant victory for law enforcement agencies in the fight against cybercrime. A spokesperson for the FBI said, "This operation sends a clear message to cybercriminals that law enforcement will work tirelessly to identify, investigate and bring them to justice."

As reported by Radio Free Europe, the bust also resulted in the arrest of several individuals linked to the site, including its alleged administrator, who was apprehended in Ukraine. The suspects face charges of cybercrime, money laundering, and other offenses, and could face lengthy prison terms if convicted.

The investigation into Genesis Market highlights the ongoing threat of cybercrime, which has become a lucrative and increasingly sophisticated industry. The site was just one of many platforms used by criminals to exploit vulnerabilities in technology and networks and to profit from the theft and abuse of sensitive data.

However, the successful takedown of Genesis Market also demonstrates the power of collaboration and technology in fighting cybercrime. Europol praised the joint efforts of law enforcement agencies, which utilized advanced tools such as blockchain analysis, malware reverse engineering, and undercover operations to infiltrate and disrupt the site.

Ukrainian Police Arrests Suspects Accused of Stealing $4.3M From Victims Across Europe


The Ukrainian police have detained 10 suspects, arresting two for allegedly being involved in a cybercrime group that conducted phishing campaigns and was a part of fraudulent online marketplaces, stealing more than $4.3 million from over 1,000 users across Europe. 

According to Ukraine’s cyber police unit, which collaborated with Czech Republic law enforcement on the bust, the threat group created more than 100 phishing sites to acquire victims’ bank credentials and access to their accounts. 

These websites provided a range of products for sale at discounts from market value. But, instead of obtaining a good price when customers entered their bank card information to pay for the fraudulent products, they had their account information stolen and probably had all of their money stolen from them. 

Additionally, the scammers established two Ukrainian call centers, in Vinnytsia and Lviv, and employed operators to persuade clients to make purchases as part of the scam. Too bad they were not assisting to defend their country instead of taking advantage of people. As per the police report, the victims include individuals from several European countries like the Czech Republic, France, Spain, and Portugal. The threat group scammed the victims of 160 million hryvnias or more, i.e. nearly $4.36 million. 

Following the event of the arrest, the Ukrainian police also shared a video where the police officers were seen busting down doors of a suspect’s residence and an empty call center. 

The law enforcement teams searched the houses, cars, and two call centers of the accused in a total of around 30 searches, seizing mobile phones, SIM cards, and computer hardware involved in illicit activity. 

The two suspected heads of the crime gang are facing up to 12 years in prison on charges of fraud and establishing a criminal organization. The European Union has captured ten more accused gang members, and according to international law enforcement organizations, the investigation is still underway. 

The aforementioned arrest is followed by another call center scan in Europe, that was announced by Europol in January this year. In the case, the European police detained 15 suspects and closed down a multi-country channel of call centers selling fabricated cryptocurrency that the law enforcement claimed to have stolen more than hundreds of million euros from victims.  

Cybercriminals Use ChatGPT to Ease Their Operations

 

Cybercriminals have already leveraged the power of AI to develop code that may be used in a ransomware attack, according to Sergey Shykevich, a lead ChatGPT researcher at the cybersecurity firm Checkpoint security.

Threat actors can use the capabilities of AI in ChatGPT to scale up their current attack methods, many of which depend on humans. Similar to how they aid cybercriminals in general, AI chatbots also aid a subset of them known as romance scammers. An earlier McAfee investigation noted that cybercriminals frequently have lengthy discussions in order to seem trustworthy and entice unwary victims. AI chatbots like ChatGPT can help the bad guys by producing texts, which makes their job easier.

The ChatGPT has safeguards in place to keep hackers from utilizing it for illegal activities, but they are far from infallible. The desire for a romantic rendezvous was turned down, as was the request to prepare a letter asking for financial assistance to leave Ukraine.

Security experts are concerned about the misuse of ChatGPT, which is now powering Bing's new, troublesome chatbot. They see the potential for chatbots to help in phishing, malware, and hacking assaults.

When it comes to phishing attacks, the entry barrier is already low, but ChatGPT could make it simple for people to proficiently create dozens of targeted scam emails — as long as they craft good prompts, according to Justin Fier, director for Cyber Intelligence & Analytics at Darktrace, a cybersecurity firm.

Most tech businesses refer to Section 230 of the Communications Decency Act of 1996 when addressing illegal or criminal content posted on their websites by third party users. According to the law, owners of websites where users can submit content, such as Facebook or Twitter, are not accountable for what is said there. Governments should be in charge of developing and enforcing legislation, according to 95% of IT respondents in the Blackberry study.

The open-source ChatGPT API models, which do not have the same content limitations as the online user interface, are being used by certain hackers, according to Shykevich.ChatGPT is notorious for being boldly incorrect, which might be an issue for a cybercriminal seeking to create an email meant to imitate someone else, experts told Insider. This could make cybercrime more difficult. Moreover, ChatGPT still uses barriers to stop illegal conduct, even if the correct script can frequently get around these barriers.

Data Theft Feature Added by Russian Nodaria APT

An updated piece of information-stealing malware is being used against targets in Ukraine by the Nodaria spy organization, also known as UAC-0056. The malware was created in Go and is intended to gather a variety of data from the infected computer, including screenshots, files, system information, and login passwords.

The two-stage threat known as graphiron consists of a downloader and a payload. The downloader has the addresses of command-and-control (C&C) servers hardcoded in. It will look for active processes when it is executed and compare them to a blacklist of malware analysis tools.

If no processes on the blacklist are discovered, this will connect to a C&C server, download the payload, and then decrypt it before adding it to autorun. The downloader is set up to run only once. It won't try again or send a signal if it is unable to download and run the payload.

Graphiron shares several characteristics with earlier Nodaria tools like GraphSteel and GrimPlant. Advanced features allow it to execute shell commands, gather system data, files, login passwords, screenshots, and SSH keys. Further, it uses port 443 to communicate with the C2 server, and all communications are encrypted using an AES cipher.

Attacks against Georgia and Kyrgyzstan have been carried out by Nodaria since at least March 2021. The recognized tools used by the group include WhisperGate, Elephant Dropper and Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant, and GraphSteel information stealer.



Cybersecurity in 2023: Russian Intelligence, Chinese Espionage, and Iranian Hacktivism


State-sponsored Activities 

In the year 2022, we witnessed a number of state-sponsored cyber activities originating from different countries wherein the tactics employed by the threat actors varied. Apparently, this will continue into 2023, since government uses its cyber capabilities as a means of achieving its economic and political objectives. 

Russian Cyber Activity will be Split between Targeting Ukraine and Advancing its Broader Intelligence Goals 

It can be anticipated that more conflict-related cyber activities will eventually increase since there is no immediate prospect of an end to the conflict in Ukraine. These activities will be aimed at degrading Ukraine's vital infrastructure and government services and gathering foreign intelligence, useful to the Russian government, from entities involved in the war effort. 

Additionally, organizations linked to the Russian intelligence services will keep focusing their disinformation campaigns, intelligence gathering, and potentially low-intensity disruptive attacks on their geographical neighbors. 

Although Russia too will keep working toward its longer-term, more comprehensive intelligence goals. The traditional targets of espionage will still be a priority. For instance, in August 2022, Russian intelligence services used spear phishing emails to target employees of the US's Argonne and Brookhaven national laboratories, which conduct cutting-edge energy research. 

It is further expected that new information regarding the large-scale covert intelligence gathering by Russian state-sponsored threat actors, enabled by their use of cloud environments, internet backbone technology, or pervasive identity management systems, will come to light. 

China Will Continue to Prioritize Political and Economic Cyber Espionage 

It has also been anticipated that the economic and political objectives will continue to drive the operation of China’s intelligence-gathering activities. 

The newly re-elected president Xi Jinping and his Chinese Communist Party will continue to employ its intelligence infrastructure to assist in achieving more general economic and social goals. It will also continue to target international NGOs in order to look over dissident organizations and individuals opposing the Chinese government in any way. 

China-based threat actors will also be targeting high-tech company giants that operate in or supply industries like energy, manufacturing, housing, and natural resources as it looks forward to upgrading the industries internally. 

Iranian Government-backed Conflicts and Cybercrimes will Overlap 

The way in which the Iranian intelligence services outsource operations to security firms in Iran has resulted in the muddled difference between state-sponsored activity and cybercrime. 

We have witnessed a recent incident regarding the same with the IRGC-affiliated COBALT MIRAGE threat group, which performs cyber espionage but also financially supports ransomware attacks. Because cybercrime is inherently opportunistic, it has affected and will continue to affect enterprises of all types and sizes around the world. 

Moreover, low-intensity conflicts between Iran and its adversaries in the area, mainly Israel, will persist. Operations carried out under the guise of hacktivism and cybercrime will be designed to interfere with crucial infrastructure, disclose private data, and reveal agents of foreign intelligence. 

How Can Organizations Protect Themselves from Opportunistic Cybercrime?

The recent global cyber activities indicate that opportunistic cybercrime threats will continue to pose a challenge to organizational operations. 

Organizations are also working on defending themselves from these activities by prioritizing security measures, since incidents as such generally occur due to a failure or lack of security controls. 

We have listed below some of the security measures organizations may follow in order to combat opportunistic cybercrime against nations, states, and cybercrime groups : 

  • Organizations can mitigate threats by investing in fundamental security controls like asset management, patching, multi-factor authentication, and network monitoring. 
  • Maintaining a strong understanding of the threat landscape and tactics utilized by adversaries. Security teams must also identify and safeguard their key assets, along with prioritizing vulnerability management. 
  • Traditional methods and solutions, such as endpoint detection and response, are no longer effective in thwarting today's attacks, so it is crucial to thoroughly monitor the entire network, from endpoints to cloud assets. However, in order to identify and effectively address their most significant business concerns, and prioritize threats in order to combat them more efficiently.  

Trojanized Windows 10 Installer Utilized in Cyberattacks Against Ukrainian Government Entities

 

Ukraine's government has been compromised as part of a new campaign that used trojanized versions of Windows 10 installer files to conduct post-exploitation activities. The malicious ISO files were distributed via Ukrainian and Russian-language Torrent websites, according to Mandiant, which discovered the "socially engineered supply chain" attack around mid-July 2022. The threat cluster is identified as UNC4166. 

"Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it," the cybersecurity company said in a technical deep dive published Thursday.

Even though the origin of the adversarial collective is unknown, the disruptions are said to have targeted organisations that had previously been victims of disruptive wiper attacks blamed on APT28, a Russian state-sponsored actor. According to the Google-owned threat intelligence firm, the ISO file was designed to disable telemetry data transmission from the infected computer to Microsoft, install PowerShell backdoors, and block automatic updates and licence verification.

The main objective of the operation appears to have been data gathering, with additional implants deployed to the machines only after an initial reconnaissance of the vulnerable environment to determine if it contained valuable intelligence.

Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor written in C that enables the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the data to a remote server, were among them.

The malicious actor attempted to download the TOR anonymity browser onto the victim's device in some cases. While the precise reason for this action is unknown, it is suspected that it served as an alternative exfiltration route.

SPAREPART, as the name suggests, is considered to be redundant malware that is used to uphold remote access to the system if the other methods fail. It also has the same functionality as the PowerShell backdoors that were dropped early in the attack chain.

"The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant stated.

The findings come as Check Point and Positive Technologies revealed attacks on the government sector in Russia, Belarus, Azerbaijan, Turkey, and Slovenia by an espionage group known as Cloud Atlas as part of a persistent campaign.

The hacking group, which has been active since 2014, has a history of targeting entities in Eastern Europe and Central Asia. However, the outbreak of the Russo-Ukrainian war earlier this month has shifted its focus to organisations in Russia, Belarus, and Transnistria.

"The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk, and Donetsk regions," Check Point said in an analysis last week.

The adversary's attack chains typically utilise phishing emails with bait attachments as the initial intrusion vector, leading to the delivery of a malicious payload via an intricate multi-stage sequence. The malware then contacts an actor-controlled C2 server to obtain additional backdoors capable of stealing files with specific extensions from the compromised endpoints.

Check Point's observations, on the other hand, culminate in a PowerShell-based backdoor known as PowerShower, which was first discovered by Palo Alto Networks Unit 42 in November 2018. Some of these intrusions in June 2022 were also successful, allowing the threat actor to achieve full network access and use tools such as Chocolatey, AnyDesk, and PuTTY.

"With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy and technology sectors, and on the annexed regions of Ukraine," Check Point added.

Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, is still unidentified, joining the ranks of other APTs such as TajMahal, DarkUniverse, and Metador. The group's name derives from its reliance on cloud services such as CloudMe and OpenDrive to host malware.

Wipers Are Expanding: Here's Why That Matters

 

In the first half of this year, researchers observed a rise in the use of wiper malware in tandem with the Russia-Ukraine conflict. However, those wipers haven't stayed in one place; they're spreading worldwide, proving that cybercrime has no borders. 

Not only are the numbers increasing; but there's also an increase in variety and sophistication. These wiper variants are growingly aimed at critical infrastructure. The war in Ukraine has undoubtedly fueled significant growth in the use of wiper malware; FortiGuard Labs' research identified at least seven new wiper variants used in campaigns targeting government, military, and private organizations in the first half of 2022.

That's nearly as many wiper variants as have been publicly detected since 2012 when bad actors used the Shamoon wiper to attack a Saudi oil company. These variants include the following variants:

• CaddyWiper: Bad actors used this variant to wiper data and partition information from drives on systems belonging to a select number of Ukrainian organizations shortly after the war began. 
• WhisperGate: Discovered by Microsoft in mid-January being used to target organizations in Ukraine.
• HermeticWiper: Noted in February by SentinelLabs, this tool for triggering boot failures was also found targeting Ukrainian organizations
• IsaacWiper: A malware tool for overwriting data in disk drives and attached storage to render them inoperable.

We also discovered three variants aimed at Ukrainian businesses and organizations: WhisperKill, Double Zero, and AcidRain.

Wipers without borders

The wiper ware campaign is open to more than Ukraine. Since the beginning of the conflict in February, we've detected more wiper malware outside Ukraine than inside. Wiper activity has been detected in 24 countries other than Ukraine.

AcidRain, utilized to target a Ukrainian satellite broadband service provider, was also used in a March attack that knocked out several thousand German wind turbines. What does this mean? It demonstrates that such attacks can cross borders, whether they are between countries or between IT and OT.

Enterprise security teams must be prepared. While the number of detected wipers has been lower than for other types of cyberattacks thus far, the nature of wipers and how they are used make them extremely dangerous. Wiper malware is used by bad actors for a variety of purposes, including financial gain, sabotage, evidence destruction, and cyber war. Shamoon, the original wiper ware, demonstrated clearly how wipers can be used as cyber sabotage weapons - and how the same wiper can rear its ugly head years later.

Variants such as GermanWiper and NotPetya have demonstrated how wipers can be used to extort money from victims, such as "pretending" to be ransomware. And, as you may recall, NotPetya began as a cyber-attack against Ukrainian organizations but quickly spread to become one of the most devastating cyber-attacks of all time.

When it comes to wipers, one factor to think about is whether or not they self-promote. If it's a worm, like NotPetya, it can spread to other machines once released. And once that occurs, it is uncontrollable.

CISA issued a warning about the direct threat wipers pose in February, recommending that "organizations increase vigilance and evaluate their capabilities encompassing wiper attack planning, preparation, detection, and response."

One of the most effective defensive measures for wiper malware is integrated, AI and ML-driven, advanced detection and response capabilities operated by actionable threat intelligence to protect across all edges of hybrid networks.

It can, for example, keep the impact of an attack to a single segment of the network and limit lateral movement.

Deception technology, a strategy in which cyber attackers have diverted away from an enterprise's true assets and instead directed toward a decoy or a trap, should also be considered by organizations. The decoy imitates legitimate servers, applications, and data in order to fool the bad actor into thinking they have infiltrated the real thing.

Furthermore, services like a digital risk protection service (DRPS) can assist with external surface threat assessments, security remediation, and gaining contextual insights on imminent threats.

Don't skimp on incident response: If your company is infected with wiper malware, the speed and quality of incident response are critical. It could determine the outcome of the attack. The importance of incident response and planning cannot be overstated. This should include defined processes for business continuity without IT, as well as a plan for how to restore from backups and handle incident response.

In the future

Wiper ware can and is being used to degrade and disrupt critical infrastructure, as evidenced by the attacks on Ukraine and others. This is done as part of larger cyber warfare operations. Another common technique witnessed is wiper malware samples "pretending" to be ransomware, employing many of the same tactics, techniques, and procedures as ransomware but without the ability to recover files.

The bottom line is that wiper ware is being used for both financial gain and cyber sabotage - and the results can be disastrous.  

Cyber Insurers Redefine State-Sponsored Attacks as an Act of War Amidst Legal Concerns


The U.S. government says that the consequences created by NotPetya were the result of a Russian cyberattack on Ukraine in 2017. This continues to be felt as cyber insurers alter coverage exclusions, further extending the definition of an “act of war.” One can conclude that the 5-year-old cyberattacks seem to be reshaping the cyber insurance industry. 

The parent company of brands like Cadbury, Oreo, Ritz, and Triscuit, ‘Mondelez’ was in fact impacted by NotPetya, where the manufacturing factories and production were interrupted, taking days for the companies’ staff to regain control of their computer systems. The business filed a claim for $100 million in losses to Zurich American, its property and liability insurer. Zurich, after initially agreeing to pay a portion of the claim — $10 million, later withheld payment, claiming the attack was an act of war and hence not covered by the policy. Mondelez later initiated legal action. 

Later, Mondelez and Zurich America allegedly agreed on the original claim of $100 million, but it was not until Merck's $1.4 billion lawsuit against Ace American Insurance Company for its NotPetya-related damages had been successful in January 2022. The claims made by Merck did not pertain to a cyber insurance policy, but rather to its property and casualty policy. 

Back in the year 2017, while cyber insurance policy was still a budding idea, several company giants filed claims for the exploit pertaining to NotPetya – the one due to which an exploit of an estimated $10 billion happened worldwide – against company assets and casualty policies. 

What Has Changed? 

Before the course of the COVID-19 pandemic, until 2020, these cyber insurance policies were being sold in a similar manner as that of a typical home or auto policy, where the company was the least concerned about their cybersecurity profile, or the tools they would use in order to secure and defend its network or data, or its general cyber hygiene. 

But since numerous ransomware attacks hit the organizations that were built off of lax cybersecurity, insurance carriers eventually started altering their requirements, prioritizing their requirements to acquire such policies, says Alla Valente, senior analyst at Forrester Research. 

Currently, the business model for cyber insurance is substantially distinctive from other policies, marking the cyber insurance policies of 2017 as obsolete. 

What is an “Act of War”? 

Every sort of insurance policy, including cyber insurance policies, has a "War Exclusion." A war exclusion clause generally says that no damages resulting from hostile or warlike activities by a state or its agents are covered. Usually, this exclusion is applicable to a “hot war,” like the one we have witnessed in Ukraine in recent times. Although, courts are beginning to consider cyberattacks as potential acts of war, without the declaration of war or any land troop, aircraft, or any material battlefield. The state-sponsored attacks themselves constitute a war footing, as noted by the carriers. 

The terms of cyber policies from Lloyd's of London will now change in April 2023, excluding liability losses brought on by state-sponsored cyberattacks. As stated by Tony Chaudhry, Lloyd’s underwriting director, in a Market Bulletin published in August 2022, "Lloyd's remains strongly supportive of the writing of cyber-attack cover but recognizes also that cyber-related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage." 

In regards to this, Forrester's Valente notes that businesses may have to keep their large cash deposits aside if they ever face a state-sponsored attack. Only if the insurance carriers are successful in claiming in court that a state-sponsored attack is, by definition, an act of war, no business will then have coverage unless they specifically negotiate that into the contract to eliminate the exclusion. 

Scott Godes, partner and co-chair of the Insurance Recovery and Counseling Practice and the Data Security & Privacy practice at District of Columbia law firm Barnes & Thornburg says that, when purchasing cyber insurance, "it is worth having a detailed conversation with the broker to compare so-called 'war exclusions' and determining whether there are carriers offering more favorable terms,"

"Unfortunately, litigation over this issue is another example of carriers trying to tilt the playing field in their favor by taking premium, restricting coverage, and fighting over ambiguous terms," he adds.  

Ukraine’s Cyber-Defenses Have Been Exemplary, Says Lindy Cameron


It has always been a necessary task to defend one’s digital life in order to secure critical systems and services. In recent years, the UK has witnessed a range of online threats, varying from ransomware threats, and online frauds, to the cybersecurity risks that the country garnered with the return of war in Europe.

Considering the changes in the entire cybersecurity landscape over the past year, the UK needs a whole-of-society response to combat the ever-evolving online threats, risks, and vulnerability, in order to secure the nation’s online status. 

Working with allies and partners in both the public and private sectors, the National Cyber Security Centre (NCSC) has contributed to a significant effort to increase our country's resilience at each level. Along with reflecting on significant achievements and challenges faced over the past, its Annual Review sheds light on what can we learn from the past year to combat the threats and perplexities that lie ahead. 

The invasion of Ukraine was one of the biggest problems for cybersecurity. While Russia's harsh and devastating war aimed to change the world's physical geography, its effects were felt everywhere, including in cyberspace. 

“While Russia’s brutal war has sought to redraw the physical map, its consequences have been felt in cyberspace,” says Lindy Cameron, CEO of the National Cyber Security Centre. 

NCSC, as a part of GCHQ, could monitor cybersecurity threats and has cautioned of increased cyber risks because of Russian hostility from the beginning of 2022. It has additionally published expert guidelines to aid organizations strengthen their defenses, and has collaborated extensively with partners to make sure that vital enterprises, infrastructure, and society as a whole are as robust as possible. 

Ransomware continues to present one of the greatest risks to UK businesses and organizations, and we have already witnessed the adverse repercussions that attacks may have on operations, finances, and reputations of organizations, resulting in the widespread wreck for consumers. 

The NCSC has published expert guidance to aid organizations to take measures to secure themselves online and continues to urge CEOs to take the matter seriously and should not be left to the technical experts. 

Since last year, NCSC has helped contain hundreds of thousands of upstream cyberattacks, while as well reinforcing preparedness for the same. Moreover, helping organizations and institutions gain a better understanding of the nature of threats, risks, and vulnerabilities downstream. 

By addressing these challenges, NCSC ensures the UK to emerge as a global cyber-power in the future. Its overall plan for doing so is outlined in the National Cyber Strategy, which acknowledges that thriving cyber skill and growth in the ecosystem is important to maintain this advantage and support the diversity of talent at its core. 

In the past year, initiatives like CyberFirst have collaborated with thousands of young people from all across the country, while NCSC has supported businesses for Startup programs, generating hundreds of millions of pounds in investments. 

“This is a source of great optimism for me and my team as we look ahead to 2023. But cybersecurity is a team sport and it is only through mobilising the whole of society that we can achieve our goal of making the UK a safe place to live and work online,” adds Cameron.  

Russia- Linked Sandworm Enacted Ukrainian Telecoms for Injecting Malicious Code


It was discovered that a Russian-based hacker known as Sandworm, impersonating Ukrainian telecommunications, targeted its entities and injected malware into them, leading to software infections throughout the country. 
 
The Sandworm is a group of hackers that are closely connected with the foreign military intelligence service of the Russian government called the GRU as a military unit 7445. It is an Advanced Persistent Threat (APT) group, which was responsible for several cyberattacks including on Ukrainian energy infrastructure. 
 
The recorded future was spying over the operations of government as well as private sectors. As per the report of “recorded future”, the rise in activities of Sandworm has been noticed since August 2022, tracked by the Computer emergency response team of Ukraine (CERT-UA). It is obvious from the frequency with which the Sandworm has been observed employing DNS domains for control and command infrastructure that it is a ruse to attack Ukrainian computers. 
 
Recorded Future further added in the report that, the APT group found a new infrastructure of UAC-0113, which imitates the operators such as Datagroup, and EuroTrans Telecom, which were responsible for placing DarkCrystal RAT, previously. 
 
The Recorded Future’s report entails “Identified staging infrastructure continues the trend of masquerading as telecommunication providers operating within Ukraine and delivers malicious payloads via an HTML smuggling technique that deploy Colibri Loader and Warzone RAT malware.” 
 
This new infrastructure of Advanced persistent threat group UAC-0113 distributed the commodity malicious ISO Colibri Loader and Warzone RAT by using HTML smuggling. This smuggling technique uses legalized features of HTML and JavaScript to inject malicious codes under security controls. 
 
The super-hacker team of Russia, Sandworm, is popularly known for its cyberattacks on the Ukrainian electrical grid in 2015 and 2016. In further research, it was also found responsible for the dropping of a botnet known as “Cyclops Blink”, which subjugated internet-connected firewall devices, etc from WatchGuard and ASUS. 
 
This APT group had also captured U.S. software under its cyberattacks, due to which the U.S government announced a reward of $10 million for providing the information of the hackers behind this Russian threat actor group. 
 
There are several examples of domains being used as masquerade such as the domain “datagroup[.]ddns[.]net”, tracked by CERT-UA, in June. It impersonated the data group as its online portal. Another example of deception is Kyivstar, in which the domain “kyiv-star[.]ddns[.net” was used by Sandworm against Ukrainian telecom services.

Anonymous Attacks Russian Taxi Company, Causes Traffic Jam


Yandex Taxi Hacked

Russia has been one of the main targets of hackers since the country launched a war against Ukraine. The most recent attack was targeted against Yandex Taxi, a ride hailing service. 

The news first came out on reddit.com. Yandex Taxi belongs to Yandex, Russia's leading IT corporation, also known as Russian Google. 

One should note that the EU sanctioned the company's co-founder Arkady Volozh for “de-ranking and removing,” any info related to Russian attacks against Ukraine.

About the incident

Once Yandex Taxi app was hacked, the anonymous threat actors made a massive traffic jam in Moscow, Russia. 

On 1st September 2022, the drivers complained after they saw an unusual gathering of Taxis in Moscow's western area. 

It happened because the hackers booked all the available taxis to a same address, and a massive traffic jam happened as various Yandex Taxi drivers got stuck due to being trapped in a particular location. 

The cabs were directed towards Kutuzovsky Prospekt, one of the main avenues in Moscow, it is also famous for the Stalinist-era building known as Hotel Ukraina (Hotel Ukraine).

The traffic jam was there for three hours. Yandex's security team immediately looked into the issue and promised to better the algorithm to avoid such incidents from happening again in the future. 

Who is behind the attack?

The online hacktivist group Anonymous claims responsibility for the attack. Someone compromised the Yandex app and did a frustrating mix-up of taxis. 

The hackers avoided the company's security mechanisms and made multiple fake orders, directing all the drivers to a single location. 

In a similar incident that happened last year, Yandex in its blog post said:

"This is just one of many attacks aimed not only at Yandex but also at many other companies in the world. The attacks have been going on for several weeks, their scale is unprecedented, and their source is a new botnet about which little is known so far."


Hacked Ukrainian Radio Stations Propagates Misinformation Regarding President Zelensky’s Health

 

The hackers targeted Ukrainian radio operator TAVR Media on Thursday to spread fake news that Ukrainian President Volodymyr Zelensky was hospitalized and is in a critical condition. 

Anonymous attackers broadcasted reports that the Ukrainian President was in an intensive care ward and that his duties were being temporarily performed by the Chairman of the Ukrainian parliament Ruslan Stefanchuk, the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) stated. 

"Cybercriminals spread information that the President of Ukraine, Volodymyr Zelenskyy, is allegedly in intensive care, and his duties are performed by the Chairman of the Verkhovna Rada, Ruslan Stefanchuk," the SSSCIP said in an update. 

The Kyiv-based holding firm is one of Ukraine’s largest broadcasters and manages nine major radio stations, including Hit FM, Radio ROKS, KISS FM, Radio RELAX, Melody FM, Nashe Radio, Radio JAZZ, Classic Radio, and Radio Bayraktar. 

TavrMedia wrote on Facebook that it is working “to solve the problem,” but did not provide additional details. The company also emphasized that "no information about the health problems of the President of Ukraine Volodymyr Zelenskyy is true." 

The false reports, which were broadcasted during prime time, between 12 and 2 p.m., also forced Zelenskyy to take to Instagram, stating, "I have never felt as healthy as I do now." 

It remains unclear how the hackers breached TAVR Media. Multiple hackers from across the globe have tried to capitalize on the ongoing conflict between Russia and Ukraine to launch a barrage of cyberattacks. 

In a related development, the Computer Emergency Response Team of Ukraine (CERT-UA) also issued a warning regarding macro-laden PowerPoint documents being leveraged to deploy Agent Tesla malware targeting state organizations of Ukraine. 

This is not the first instance that hackers have targeted Ukrainian media. According to Cloudflare, online media, publishing, and broadcasting firms were targeted by more distributed denial-of-service attacks (DDoS) in the second quarter of 2022 than in any other industry. 

Earlier this year in June, the malicious actors also targeted the Ukrainian streaming service Oll.tv and replaced the broadcast of a football match between Ukraine and Wales with Russian propaganda. In February, Ukraine’s national public broadcaster suffered a DDoS attack, according to its general producer Dmytro Khorkin.