Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label GRU. Show all posts
Hacking Group
Amazon Cloud Cloud Defense Cloud Device Cyber Campaigns Cyber Security GRU Hacking Attack Hacking Group

Amazon Links Five-Year Cloud Cyber Campaign to Russia’s Sandworm Group

 

Amazon is talking about a hacking problem that has been going on for a long time. This problem was targeting customers who use cloud services in countries. Amazon says that a group called Sandworm, which is linked to Russias intelligence is behind this hacking. Amazons team that looks at threats found out that this hacking has been happening for five years. The hackers were looking for weaknesses in how customers set up their devices than trying to find problems with the software. They were exploiting these weaknesses to get into customer environments. 

Amazon and the customers were using cloud services. The hackers were targeting these cloud-connected environments. The hacking group Sandworm is the one that Amazon says is responsible, for this activity. The people at Amazon looked at this problem in December. Amazons chief information security officer, CJ Moses said that this is a change in how some groups try to get into important systems. CJ Moses said that these groups are not trying to get in by using software that has not been updated. 

Instead they are looking at devices that are connected to the cloud and are not set up correctly. These devices are how they get into the organizations they are trying to attack. CJ Moses and the people, at Amazon think that this is a way that state-sponsored actors are trying to get into critical infrastructure. The devices that are connected to the cloud are the way that these actors get into the systems they are trying to attack. 

The cyberattacks were different from others. The systems that were compromised were not old or missing security updates. The people who did the attack found problems with the equipment that helps connect things, like gateways and devices that sit at the edge of networks. These devices had been set up incorrectly by the customers who used them. This equipment is usually between the networks of a company and the cloud services they use outside. 

So it gave the attackers a way to get into the rest of the system without needing to find brand weaknesses or use very complicated bad software at the start. The attackers used these edge devices as a kind of bridge to get into the system. They were able to do this because the devices were not set up correctly by the customers. The cyberattacks were able to happen because of this mistake. It made it easier for the attackers to get into the system. The compromised systems, including the routing equipment and gateways were the key, to the attack. 

The bad people got into the system. They were able to get important information like passwords. Then they were able to move to different cloud services and the internal system. Amazon looked at this. They think that the bad people were able to hide what they were doing by making it look like normal activity on the network. This made it harder to catch them. The bad people used passwords and normal paths, on the network so they did not trip any alarms. This meant that the security people did not notice them because they were not doing anything that seemed out of the ordinary. 

The Sandworm activity was seen times over a few years with signs of it going back to at least 2021. The people behind this campaign were going after targets all around the world. They were especially interested in organizations that do important work like those that deal with critical infrastructure. Amazon found out that the people behind the Sandworm activity were really focused on energy companies, in North America and Europe. This shows that the Sandworm activity was a thoughtful and planned operation and that is what makes it so serious the Sandworm activity is a big deal. 

Security specialists looked at the results. They think this is part of a bigger pattern with advanced threat actors. What is happening is that people are taking advantage of mistakes in how thingsre set up rather than looking for things that need to be updated. As organizations start to use hybrid and cloud-based systems this is becoming a bigger problem. Even people who are very good at IT can miss mistakes in how thingsre set up and this can leave them open, to attacks all the time. Security specialists and these advanced threat actors know that they can take advantage of these mistakes without setting off the warnings that something is wrong. 

Advanced threat actors are using these mistakes to get in. Amazons disclosure is a warning that having cloud security is not just about doing the usual updates. Companies that use cloud and hybrid environments for work need to do more. They need to make sure everything is set up correctly always check for problems with devices that are connected to the internet and limit who can get into the system. These things are very important, for security. Amazons cloud security is an example of this. Cloud security requires a lot of work to keep it safe. 

In a separate disclosure, Amazon also acknowledged detecting attempts by North Korean operators to conduct large-scale cyber activity, though this was unrelated to the Sandworm campaign. The company later clarified that the Russian-linked operation targeted customer-managed devices hosted on AWS rather than Amazon’s own infrastructure, and that the activity represented sustained targeting over several years rather than uninterrupted access.
Read more »
Russia
Amazon AWS Cloud Security Credential Theft Cyber Attacks GRU Russia

Amazon Says It Has Disrupted GRU-Linked Cyber Operations Targeting Cloud Customers

 



Amazon has announced that its threat intelligence division has intervened in ongoing cyber operations attributed to hackers associated with Russia’s foreign military intelligence service, the GRU. The activity targeted organizations using Amazon’s cloud infrastructure, with attackers attempting to gain unauthorized access to customer-managed systems.

The company reported that the malicious campaign dates back to 2021 and largely concentrated on Western critical infrastructure. Within this scope, energy-related organizations were among the most frequently targeted sectors, indicating a strategic focus on high-impact industries.

Amazon’s investigation shows that the attackers initially relied on exploiting security weaknesses to break into networks. Over multiple years, they used a combination of newly discovered flaws and already known vulnerabilities in enterprise technologies, including security appliances, collaboration software, and data protection platforms. These weaknesses served as their primary entry points.

As the campaign progressed, the attackers adjusted their approach. By 2025, Amazon observed a reduced reliance on vulnerability exploitation. Instead, the group increasingly targeted customer network edge devices that were incorrectly configured. These included enterprise routers, VPN gateways, network management systems, collaboration tools, and cloud-based project management platforms.

Devices with exposed administrative interfaces or weak security controls became easy targets. By exploiting configuration errors rather than software flaws, the attackers achieved the same long-term goals: maintaining persistent access to critical networks and collecting login credentials for later use.

Amazon noted that this shift reflects a change in operational focus rather than intent. While misconfiguration abuse has been observed since at least 2022, the sustained emphasis on this tactic in 2025 suggests the attackers deliberately scaled back efforts to exploit zero-day and known vulnerabilities. Despite this evolution, their core objectives remained unchanged: credential theft and quiet movement within victim environments using minimal resources and low visibility.

Based on overlapping infrastructure and targeting similarities with previously identified threat groups, Amazon assessed with high confidence that the activity is linked to GRU-associated hackers. The company believes one subgroup, previously identified by external researchers, may be responsible for actions taken after initial compromise as part of a broader, multi-unit campaign.

Although Amazon did not directly observe how data was extracted, forensic evidence suggests passive network monitoring techniques were used. Indicators included delays between initial device compromise and credential usage, as well as unauthorized reuse of legitimate organizational credentials.

The compromised systems were customer-controlled network appliances running on Amazon EC2 instances. Amazon emphasized that no vulnerabilities in AWS services themselves were exploited during these attacks.

Once the activity was detected, Amazon moved to secure affected instances, alerted impacted customers, and shared intelligence with relevant vendors and industry partners. The company stated that coordinated action helped disrupt the attackers’ operations and limit further exposure.

Amazon also released a list of internet addresses linked to the activity but cautioned organizations against blocking them without proper analysis, as they belong to legitimate systems that had been hijacked.

To mitigate similar threats, Amazon recommended immediate steps such as auditing network device configurations, monitoring for credential replay, and closely tracking access to administrative portals. For AWS users, additional measures include isolating management interfaces, tightening security group rules, and enabling monitoring tools like CloudTrail, GuardDuty, and VPC Flow Logs.

Read more »
User Privacy
China Covid Cyber Security Cyptocurrency Elon Musk FTX GRU Russia-Ukraine War User Privacy

5 Most Significant Online Influencers of 2022

The Wired portal has taken the initiative to publish a list of the individuals that sparked the most online debates in 2022. Controversies motives, false information, and online turmoil will also be on the minds of many people going forward. 

Despite some issues that appear to be fading, such as the COVID-19 outbreak and the world of cryptocurrency, these issues frequently come up on social media. Money laundering, theft, and fraud are among the issues frequently in these debates. 

1. Sam Bankman-Fried

Money laundering, theft, and scams have been rampant in the cryptocurrency sector, from the Crypto dark-web drug trade to billions of dollars being taken from crypto firms by cybercriminals. Sam Bankman-Fried is currently charged with fraud of more than $8 billion in connection with the fall of the bitcoin exchange FTX. The exact extent of the misuse of user cash in FTX's collapse is still unknown, and even the new CEO of the firm, John Ray, claims he's never witnessed a greater catastrophe. This could have far-reaching effects on the cryptocurrency economy. 

In addition to the staggering losses, Bankman-Fried stands in as a particularly alarming example of the problems with the crypto economy.  He seemed to really embrace increased government controls of the business, unlike so others in the crypto sphere.

2. Elon Musk

After the purchase of Twitter, Musk's dark side was exposed, and the erratic power of the world's richest person suddenly put a major online institution in danger. Elon fired at least 4,400 contract workers after letting go of nearly 50% of the Twitter personnel, jeopardizing the operations of a service that acts as Twitter's main artery.

Additionally, Twitter has drastically reduced the size of its team of content moderators, creating scenarios where only one employee is left to monitor child abuse-related tweets across the entirety of Japan and the Asia-Pacific area. Twitter has also outlawed left-wing accounts under Musk's supervision which goes against his support for free speech. He provides a glimpse of the conspiracy-minded ideas and trolling that really motivates his behavior. 

3. Xi Jinping

Every wave of brutality under Xi Jinping has been accompanied by a tightening of online restrictions as censors combed social media for any mention of protests. Han Chinese authorities in Xinjiang have even insisted that Uyghurs install an app that checks their phones for prohibited information.

This year's protests against China's oppressive zero-Covid lockdowns have sparked a new round of online repression, in which it is now illegal to even like a protest-related post, and any indication of wrongdoing is monitored through a controlled credit system with the potential to result in users' immediate expulsion from online platforms. He's made it quite apparent that dictatorial control will infiltrate the Chinese digital life.

4. Narendra Modi

India has begun to resemble China ever more in how it suppresses both offline and online protests under Modi and the BJP. The Indian government has recently taken steps to tighten its control over social media, including temporarily shutting down the internet in the disturbed region of Kashmir, banning several Chinese apps, including TikTok, and giving a three-person group control over social media moderation policy choices.

The government can use the new IT regulations as a tool to challenge the platforms when it wants. It's the initial step toward making it possible to restrict online speech like in China.

5. GRU

In the past seven years, Russia's GRU military intelligence units known as Sandworm and APT28 caused two blackouts in Ukraine. In 2022, it started a plethora of cyberattacks aimed at erasing data from the Ukrainian government and business networks, frequently concurrent with direct physical assaults by the invading army. In a NotPetya-like incident of collateral damage, one GRU malware operation even managed to shut down connectivity to 5,000 wind turbines spread around Germany. A third blackout strike in Ukraine was also attempted by GRU's Sandworm hackers, but this time, at least in the view of the Ukrainian government, defenses were able to prevent it.

The year 2022 will be regarded as a time of major global events with several noteworthy events and occasions. Despite some issues that appear to be fading, such as the COVID-19 outbreak and the world of cryptocurrency, money laundering, theft, and fraud are among the issues frequently on social media. 
Read more »
Telegram
APT Group Asus Cyclops Blink Data Breach GRU Russian Botnet Spear Phishing Campaign Telegram

US has Offered a $10 Million Bounty on Data About Russian Sandworm Hackers

 

The United States announced a reward of up to $10 million for information on six Russian military intelligence service hackers. According to the State Department's Rewards for Justice Program, "these people engaged in hostile cyber actions on behalf of the Russian government against U.S. vital infrastructure in violation of the Computer Fraud and Abuse Act."

The US Department of State has issued a request for information on six Russian officers (also known as Voodoo Bear or Iron Viking) from the Main Intelligence Directorate of the General Staff of the Russian Federation's Armed Forces (GRU) regarding their alleged involvement in malicious cyberattacks against critical infrastructure in the United States. The linkages attributed are as follows : 

  • Artem Valeryevich Ochichenko has been linked to technical reconnaissance and spear-phishing efforts aimed at gaining illegal access to critical infrastructure sites' IT networks around the world. 
  • Petr Nikolayevich Pliskin, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, and Yuriy Sergeyevich Andrienko, are accused of developing components of the NotPetya and Olympic Destroyer malware used by the Russian government to infect computer systems on June 27, 2017, and Yuriy Sergeyevich Andrienko, who are accused of developing components of the NotPetya and Olympic De.
  • Anatoliy Sergeyevich Kovalev is accused of inventing spear-phishing techniques and communications which were utilized by the Russian government to hack into critical infrastructure computer systems. 

On October 15, 2020, the US Justice Department charged the mentioned officials with conspiracy to commit wire fraud and aggravated identity theft for carrying out damaging malware assaults to disrupt and destabilize other countries and cause monetary damages. 

According to the indictment, GRU officers were involved in attacks on Ukraine, including the BlackEnergy and Industroyer malware-based attacks on the country's power grid in 2015 and 2016. The folks are accused of causing damage to protected computers, conspiring to commit computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft by the US Department of Justice. According to the US Department of State, the APT group's cyber actions resulted in roughly $1 billion in losses for US firms.

The Rewards of Justice has established a Tor website at "he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad[.]onion" as part of the project, which may be used to anonymously submit reports on these threat actors or to communicate the information using Signal, Telegram, or WhatsApp. 

Recently, the Sandworm collective was linked to Cyclops Blink, a sophisticated botnet malware that snagged internet-connected firewall devices and routers from WatchGuard and ASUS. Other recent hacking efforts linked to the gang include the use of an improved version of the Industroyer virus against high-voltage electrical substations in Ukraine amid Russia's continuing invasion.
Read more »
Ukraine Websites
Bank Hacking Cyber Attacks DDOS Attacks GRU Mirai botnet Russian Hacker UK Ukraine Websites

DDoS Assaults on Ukrainian Banking Elite has Resumed Yet Again


Cyberattacks took down Ukrainian official and bank websites, prompting the government to declare a statewide state of emergency amid growing fears that Russian President Vladimir Putin could launch a full-scale military invasion of Ukraine. The websites of Privatbank (Ukraine's largest bank) and Oschadbank (the State Savings Bank) were also blasted in the onslaught and brought down Ukrainian government sites as well, according to Internet monitor NetBlocks. 

"At around 4 p.m., another massive DDoS attack on the state commenced. We have relevant data from several banks," stated Mykhailo Fedorov, Minister of Digital Transformation, who also mentioned the parliament website had been hacked. Hackers were prepared to conduct big attacks on government organizations, banks, and the defense sector, as Ukrainian authorities said earlier this week. 

SSSCIP and other national cybersecurity authorities in Ukraine are currently "working on countering the assaults, gathering and evaluating information." According to the Computer Emergency Response Team of Ukraine (CERT-UA), the attackers used DDoS-as-a-Service platforms and numerous bot networks, including Mirai and Meris, to carry out the DDoS attacks on February 15th. The DDoS attacks were traced to Russia's Main Directorate of the General Staff of the Armed Forces on the same day, according to the White House. 

"We have technical information indicating ties the Russian main intelligence directorate, or GRU," Deputy National Security Advisor for Cyber Anne Neuberger stated. "Known GRU infrastructure was spotted delivering huge volumes of communication to Ukraine-based IP addresses and domains." 

Neuberger went on to say as, despite the "limited impact," the strikes can be considered as "setting the framework" for more disruptive attacks, which could coincide with a possible invasion of Ukraine's territory. 

The UK government also blamed Russian GRU hackers for the DDoS strikes last week which targeted Ukrainian military and state-owned bank websites. Following a press release from Ukraine's Security Service (SSU), which also had its website hacked, the country was attacked by a "huge wave of hybrid warfare." The SSU announced earlier this month so, during January 2022, it stopped over 120 cyberattacks aimed at Ukrainian governmental entities.
Read more »
Ukraine
Cyber Actors Data Breach DDOS Attacks Denial of Service vulnerability GRU Russian Hacker Ukraine

Russia Suspected of Espionage Against Ukraine Via Two Big Nations

 

On Friday, the White House suspected Russia of being behind recent cyberattacks on Ukraine's defense department and banking institutions. 

The statement by Anne Neuberger, the White House's top cyber official, was the most precise attribution of culpability for the cyber breaches which have occurred as tensions between Russia and Ukraine have risen. Although the attacks this week had a "limited impact" since Ukrainian officials were able to swiftly restore its networks, Neuberger believes hackers were laying the framework for future devastating invasions. 

As tensions between Russia and Ukraine rise, Britain has joined the United States in criticizing the GRU military intelligence agency for the widespread denial-of-service attacks. The strike, according to the British Foreign Office, "showed a persistent disdain for Ukrainian integrity." This is just another example of Russia's aggressive behavior toward Ukraine."

Russians may also be laying the foundations for more disruptive measures in the event of a Ukrainian invasion. Neuberger remarked, "We expect more destabilizing or damaging cyber action if Russia decides to continue its invasion of Ukraine, and we're working closely with friends and partners to guarantee to be prepared to call out the behavior and respond." 

The United States was publicly criticizing Russia because it needed to "call out the action swiftly." "The international community must be ready to expose harmful cyber operations and hold actors accountable for any disruptive or damaging cybersecurity threats," Neuberger added. 

The widespread breach of service attacks on Tuesday was described by Ukrainian officials as the deadliest in the country's history. However, while these certainly affected internet banking, hampered some government-to-public interactions, and were definitely intended to induce fear. "Typical DDoS attacks survive because the defenders are untrained," said Roland Dobbins, DDoS engineer at cybersecurity organization Netscout, adding that the most market mitigation technologies designed to resist such attacks are ineffective.
Read more »
U.S
GRU Ransomware Russia South Korea U.S

United States Charged Six Russian Intelligence Officers with Involvement in An Unrestricted Huge Hacking Campaign

 


With involvement in an 'unrestricted huge hacking campaign', which incorporates the famous Petya ransomware attacks which have focused mainly on Ukraine in 2015, as of late, the Justice Department has charged six Russian intelligence officers. 

Residents and nationals of the Russian Federation (Russia)the six officials were also in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces.

 

The government claimed that the group that had attacked Ukraine has likewise hacked different computers promoting the 2018 Winter Olympics in South Korea. It likewise hacked and leaked emails of people related to Emmanuel Macron's 2017 campaign for president of France. 

Besides this, they additionally focused on the companies exploring the poisoning of former Russian operative Sergei Skripal two years ago in Britain. 

All the six hackers are GRU officers; the government said that for over two years, they had battled tirelessly to recognize these Russian GRU Officials who interweaved in a global campaign of hacking, disruption, and destabilization, representing the most dangerous and destructive cyber-attacks ever.

The GRU burrowed into three electrical administration systems and cluttered circuit breakers remotely, it was one of the first cyber-attacks and had a cyber firm that consistently focused on critical infrastructure.

The authorities had at first scrutinized and reprimanded North Korea for the strike yet later found that the GRU utilized North Korean hacking tools to throw off the experts. 

That is the motivation behind why the special agent of FBI Michael Christman insisted that the warrant is the result of over two years of strong investigation by the FBI, a position that was kept up by an agent who worked the case.

Here are the names and the acts done by the hackers referenced below: -

 

The FBI has regularly indicated that Russia is very equipped for a cybersecurity adversary, and the information uncovered in this statement shows how omnipresent and harming Russia's cyber activities are. 

While Russia is probably not going to capture the detainees, it is unlikely that they will attain any trial too.
Read more »
Secondary Infektion
Cybersecurity GRU IRA Russia Secondary Infektion

Secondary Infektion: A Russian Disinformation Operation Agency You Need to Know About


The secret campaign was famous as "Secondary Infektion," and it worked separately from the IRA and GRU, staying hidden for many years. The IRA (Internet Research Agency) is known for its notorious disinformation campaigns, where it floods the social media platforms with false information and propaganda. Whereas the GRU, also known as the Main Intelligence Directorate in Russia, is infamous for planning cyberattacks and even strategic data leaks. But in recent times in Russia, it is suspected that there might be a third intelligence agency responsible for such cyberattacks and was able to penetrate even more in-depth. It is believed that this third party that worked distinctly from the former two managed to stay undercover for a long time in Russia and only recently came to public knowledge. Here's what we know.


Known as Secondary Infektion, cybersecurity experts found about the operation in 2019. As of now, a social media analyst firm named Graphika published a report on the intelligence group's activities, which seemed to have started in 2014. According to the report's analysis, this group is known to cover its tracks, and all Secondary Infektion operations online are protected by robust security, which uses hallmark accounts that disappear soon after publishing a comment or a post on social media.

"Secondary Infektion targeted countries across Europe and North America with fake stories and forged documents. Its focus and areas of interest were often of a diplomatic and foreign policy nature: it appeared primarily aimed at provoking tensions between Russia's perceived enemies, and its stories typically concerned relationships between governments and often specifically focused on government representatives. It is also notable for launching smear campaigns against Kremlin critics and for targeting presidential candidates in 2016 in the U.S., in 2017 in France, in Germany, Sweden, and elsewhere," says Graphika's executive summary.

Hence, Secondary Infektion's operations are quite the opposite of the IRA and GRU's way of working. The IRA and GRU believe in building an online presence and increase their reach that is aimed to leave a long-lasting impression, through their disinformation campaigns.
Read more »
Subscribe to: Comments (Atom)