Search This Blog

Showing posts with label Russia. Show all posts

Dark Web Selling Alleged Western Weapons Sent to Ukraine

 

According to the recent reports, various weapon marketplaces on the dark websites have been listing military-grade firearms that are coming from Western countries to support the Ukrainian army in its fight against Russian aggression. 

These weapons were illegally put aside from the received supplies and are now made available to terrorists who are looking to buy rocket launchers and other deadly attack systems. 

This data has been released by Israeli cyber-intelligence specialist KELA who found military weapons listed by Ukrainians on various dark web markets. The report further read that one marketplace was tracked as “Thief,” which had a total number of 9 listings from three sellers associated with Ukraine.

Another seller named “Weapons Ukraine,” sells rifles, grenades, and bulletproof vests for amounts ranging from $1,100 to $3,600, and promises delivery in Ukraine. As per the statistics of the website, 32 users have completed purchases from the site however no user has left a review yet. 

Subsequently, another market that is supplying weapons allegedly to Ukraine by NATO countries is the "Black Market Guns," which offers U.S.-made Switchblade 600 Kamikaze Drone for $7,000 and NLAW anti-tank missiles for $15,000. 

However, the coordination of the publication on various platforms increases the chances of this being a part of a large disinformation scam campaign to take advantage of the current political situation of the county for profit. 

While the listings of these weapons seem genuine with the price of weapons also being offered realistically, the chances of them being created by pro-Russian malicious actors for propaganda purposes are high. If that is the case, pro-Russian media houses could use this information as real to serve their purposes. And at this time, the authenticity of these listed weapons from Ukraine on the dark market websites cannot be verified.

Anonymous Hacktivists Leak 1TB of Top Russian Law Firm Data

The unidentified malicious actors have hit hard Russia again by leaking 1TB of sensitive data from a leading Russian law firm identified as Rustam Kurmaev and Partners (RKP Law). 

Rustam Kurmaev and Partners has been operating in Russia for over 20 years and represent around 500 clients, including the Volkswagen Group Russia, Toyota, Ikea, Jones Lang LaSalle, ChTPZ PJSC, Abbott Laboratories, Mechel PJSC, Panasonic, Baker Hughes, ING Bank, Yamaha Motor, Caterpillar, Mars, Gilette, VimpelCom, 2×2 Channel, Citibank, and Sberbank. 

The group of malicious actors resorted to their Twitter handles, @DepaixPorteur and @B00daMooda to announce the cyber attack. “We are Anonymous – We have hacked RKPLaw (rkplawru) and leaked 1TB of files, emails, court files, client files, backups, and more! They have a very large (220 clients) and an interesting client list which I will post in the comments,” the tweet read.

Following this attack, it is to be noticed that cyber threats against Russian establishments have become the new normal since the war between Russia and Ukraine. Since February 2022 cyber war against Russia was dubbed #OpRussia after the country invaded Ukrainian territories, referring it to “special military operation” to denazify and demilitarize Ukraine. 

Also, @YourAnonNews, and @YourAnonTV, two of the largest social media representatives of the Anonymous movement also tweeted about the data leak: “Once again, #Anonymous delivers Many thanks to @DepaixPorteur, tweeted @YourAnonNews. Just In: #Anonymous released a terabyte of data and emails from Rustam Kurmaev and Partners (RKP Law), a Russian law firm that works with major banking, media, oil, and industrial firms and state interests, including American companies. #OpRussia,” said @YourAnonTV. 

According to DDoSecrets, this cyber attack could be devastating for the company considering that it specializes in resolving real estate, corporate, construction, and commercial sector disputes. Also, firms facilitate the criminal defense of business and create a systematic defense strategy for corporate managers and top management in various stages of criminal proceedings. Furthermore, the company deals in anti-corruption law as well.

Chinese Hackers are Targeting Russian Aerospace Industry

 

Space Pirates, a Chinese cyberespionage group is targeting businesses in the Russian aerospace industry with phishing emails to deploy a novel strain of malware. 

The APT group started operating in 2017, and researchers believe it is associated with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Russian security researchers at Positive Technologies named the group "Space Pirates" due to their espionage operations focusing on stealing confidential information from companies in the aerospace field. 

Malicious actors targeted government agencies, IT departments, and aerospace and power enterprises in Russia, Georgia as well as Mongolia. However, the majority of victims were spotted to be in Russia. Out of those, several victims operated specifically within the partially state-owned aerospace industry of the Russian Federation. 

The researchers first uncovered signs of Space Pirates' activity last summer during incident response and quickly confirmed that the malicious actors employed the same malware and infrastructure against at least four more domestic organizations since 2019. 

According to researchers, at least two attacks on Russian organizations were successful. In one instance, Space Pirates accessed at least 20 servers on the corporate network and stayed there for ten months; 1,500 internal documents were stolen, together with information about all employee accounts in one of the network domains. 

In the second assault, the Chinese attackers stayed in the network of the compromised firms for over a year, exfiltrating confidential information and deploying their malware to 12 corporate network nodes in three distinct regions. 

The Space Pirates’ unique toolkit contains a wide range of malware, including unique loaders and multiple previously undetected backdoors tracked as MyKLoadClient, BH_A006, and Deed RAT. The arsenal also includes the Zupdax backdoor along with well-known malware such as PlugX RAT, ShadowPad backdoor, Poison Ivy RAT, a modified version of PcShare, and the public ReVBShell shell. The APT group also leverages the dog-tunnel utility to tunnel traffic. 

The threat analysts believe that the overlaps between various Chinese APTs are due to tool exchanges, a common phenomenon for hackers in the region. 

“APT groups with Asian roots continue to attack Russian companies, which is confirmed by the activity of the Space Pirates group. Attackers both develop new malware that implements non-standard techniques (such as Deed RAT) and uses modifications of existing backdoors. Sometimes such modifications can have many layers of obfuscation added to counteract protections and complicate the analysis procedure – as in the case of BH_A006, built on the code of the popular Gh0st backdoor,” researchers explained. 

“A separate difficulty in the case of APT groups in the Asian region is the exact attribution of the observed activity: the frequent exchange of tools used, as well as the joint activity of various groups in some cases, significantly complicate this task.”

Russian Group Attack on Bulgarian Refugee Agency

 

A ransomware group that shares strong ties with Russia warned on Wednesday that it will publicly post the files it has stolen from the Bulgarian government agency that is responsible for the refugee management.

LockBit 2.0 published a notice on the dark website saying it had files from the Bulgarian State Agency for Refugees under the Council of Ministers. “All available data will be published!” the notice read under the group’s trademark bright red countdown clock, which has a May 9 publication date. It's worth noting that there was no specific post for a ransom demand. 

According to the Sofia Globe, a news organization in the country’s capital, nearly 5.7 million Ukrainian refugees have fled their country since February and approximately 230,000 fled to Bulgaria, while 100,700 are remaining in the country. 

The official website of the agency remains active, however, a notice on the site’s home page reads, “due to network problems, the e-addresses of the State Agency for Refugees at the Council of Ministers are temporarily unavailable.”

Press contacted an official for a comment on the same matter but the agency didn’t immediately respond to the email. Later, a spokesperson at the Bulgarian embassy in Washington, D.C., said that he did not have information on the incident and would look into the matter. 

LockBit 2.0 is an updated version of LockBit, a ransomware variant that first was spotted in September 2019, as per the cybersecurity firm Emsisoft. Originally known as ABCD ransomware, LockBit is famous for the file extension appended to encrypted files, with the extension later updating to “LockBit”.  Moreover, in September, the group made headlines for launching its own leak website. 

“This is simply the latest in a very long list of hits on organizations which provide critical services...,” said Brett Callow, a threat analyst at Emsisoft. 

“...Hospitals, [search and rescue], fire departments, and charities for the disabled have all been targeted. The individuals involved with ransomware are conscienceless scumbags and the sooner we find a way to deal with the problem, the better.”

Russian Groups are Plagued by OldGremlin Ransomware Threat

 

The new cyber-crime squad, known as OldGremlin, is actively targeting banks, medical institutions, software developers, and industrial firms, among other targets. The gang differentiates from all other ransomware groups by launching a limited number of campaigns – just under five since early 2021 – which solely target Russian firms and employ proprietary backdoors developed in-house.

OldGremlin has claimed ransoms as large as $3 million from one of its victims, despite being less active, which may indicate the ransomware business is approaching moonlighting. Two phishing attacks that were conducted near the end of March 2022 constitute the most current OldGremlin activities. It might be too early to say how many organizations were attacked, but security experts say roughly one Russian mining corporation is on the list of victims. The adversary did not deviate from its previously observed strategy of exploiting trending news topics to gain initial access. 

As per cybersecurity experts at Singapore-based cybersecurity firm Group-IB, this time OldGremlin scammed a senior auditor at a Russian financial organization, advising that the Visa and Mastercard payment service systems will be suspended due to recent sanctions placed on Russia.

The email directed recipients to a malicious Dropbox document that downloads TinyFluff, a backdoor that opens the Node.js interpreter and grants the attacker remote access to the target system. The email then allowed OldGremlin remote access to the machine via a malicious file that used a backdoor known as "TinyFluff," which the gang upgraded from a prior backdoor known as "TinyNode." The target receives a ransom note once the attacker has gained access to the system and has access to system data. A mining business, according to Group-IB, is one of the possible victims. 

Another well-known ransomware group, NB65, has been trying to frustrate Russian operations, including the alleged theft of 900,000 emails and 4,000 files from the state-owned television and radio broadcasting network VGTRK. In March, the organization exploited released source code from the Conti Ransomware gang – a Russia-linked threat actor — to create distinct ransomware for the first time. 

The researchers can study the directives for these steps of the assault using a traffic sniffer because they are provided in cleartext.
  • Gathering data on the infected system or device. 
  • Collecting information about the drives that are connected.
  • Executing a command in the cmd.exe shell and passing the output to the command and control server (C2) 
  • Receiving information about the system's installed plugins.
  • Obtaining information about files on the system drive's specified folders puts an end to the Node.js interpreter.
  • Before executing the last step of the assault, TinyCrypt/TinyCryptor, the group's proprietary ransomware payload, OldGremlin can spend months within the infiltrated network. 
The gang only ran one phishing effort in 2021, but it was enough to keep them occupied for the entire year as it gave them initial access to a network of various firms. Apart from the target Russian mining company, Group-IB believes that a higher number of OldGremlin victims will be discovered this year as a result of the group's March phishing operation. 
 
The researchers believe OldGremlin has Russian-speaking members based on the evidence they collected and after examining the quality of the phishing emails and decoy papers. They called the group's understanding of the Russian terrain "astonishing." OldGremlin defies the mold by focusing solely on Russian businesses including banks, industrial corporations, medical institutions, and software producers.

US Agencies Disables Russia-linked "Cyclops Blink" Botnet

 

The US Department of Justice (DoJ), working alongside the FBI and various other authorities, has successfully neutralized Cyclops Blink, a modular botnet operated by a malicious group known as Sandworm, which has been linked to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). 

In the court-authorized operation, the US agencies copied and removed malware from susceptible internet-linked firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying compromised devices worldwide, the DoJ said the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices' control. 

 Cyclops Blink, which is believed to be the successor to VPNFilter, a botnet largely neglected after it was exposed by security experts in 2018 primarily targeted WatchGuard firewall appliances and ASUS routers, with the Sandworm group exploiting a previously discovered security loophole in WatchGuard's Firebox firmware as an initial access vector. 

"These network devices are often located on the perimeter of a victim's computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks," the DoJ added. 

WatchGuard Technologies issued a statement confirming it worked with the U.S. Justice Department to disrupt the botnet but did not disclose the number of devices affected - saying only that they represented "less than 1 percent of WatchGuard appliances.” 

The device manufacturer has published detection and remediation tools alongside recommendations for device owners to remove any malware infection and patch their devices to the latest versions of available firmware. 

The company has also updated its Cyclops Blink FAQs to provide details regarding CVE-2022-23176 (CVSS score: 8.8), which could "allow an unprivileged user with access to Firebox management to authenticate to the system as an administrator" and gain unauthorized remote access. Device manufacturer ASUS has also released firmware patches as of April 1, 2022, to mitigate the threat, recommending users to update to the latest version.

Biden Prolongs National Emergency Amid Increasing Cyber Threats

 

In the backdrop of the Russia-Ukraine conflict, the increasing risk of cybersecurity threats against U.S. national security, economy, and foreign policy has prompted President Joe Biden to extend the state of national emergency which was originally declared by former President Barack Obama in April 2015. 

The national emergency period has been extended after the Cybersecurity and Infrastructure Security Agency has published a warning regarding possible Russian state-sponsored cyberattacks against U.S. organizations following the invasion of Ukraine. 

The war between Russia and Ukraine will be the main topic at Thursday's NATO meeting, in which Biden's administration will rally western allies and announce a new round of financial sanctions against the Russian government, and Biden is expected to announce sanctions on hundreds of Russians serving in the country's lower legislative body, it is being observed that further sanctions will increase cybersecurity threats against U.S government. 

Last month, U.S. organizations have been altered by the CISA and the FBI regarding the potential spillover of data wiping attacks against Ukraine. 

"Significant malicious cyber-enabled activities originating from or directed by persons located, in whole or in substantial part, outside the United States continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. Therefore, I have determined that it is necessary to continue the national emergency declared in Executive Order 13694 with respect to significant malicious cyber-enabled activities," said Biden. 

On Tuesday, Biden's national security adviser Jake Sullivan said that the administration believes that right now "they have effective posture today for what's necessary today," but further he said that Biden and NATO allies will discuss "longer-term adjustments to NATO force posture on the eastern flank."

NCSC Suggests to Reconsider Russian Supply Chain Risks

 

One of the UK's top security agencies has encouraged the public sector, critical infrastructure (CNI), and other institutions to rethink the hazards of any "Russian-controlled" elements of their supply chain. 

There is no evidence that the Russian government is preparing to compel private providers to harm UK interests, according to Ian Levy, technical director of the National Cyber Security Centre (NCSC). That doesn't rule out the possibility of it happening or happening in the future, he continued. 

"Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. We also have hacktivists on each side, further complicating matters, so the overall risk has materially changed. The war has proven many widely held beliefs wrong and the situation remains highly unpredictable. In our view, it would be prudent to plan for the possibility that this could happen. In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them,” Levy argued. 

All UK public sector organisations, those supplying services to Ukraine, CNI enterprises, organisations performing the activity that could be regarded as being in opposition to Russian interests, and high-profile institutions whose compromise would be a PR success for the Kremlin are all covered by the new NCSC guidelines. 

Levy continued, “You may choose to remove Russian products and services proactively, wait until your contract expires (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk. Whatever you choose, remember that cybersecurity, even in a time of global unrest, remains a balance of different risks. Rushing to change a product that’s deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent.” 

Even those companies which aren’t likely to be a target should remember that global sanctions could impact the availability of any Russian technology services. There was some good news from the NCSC. Levy said individuals using Kaspersky products could continue to do so relatively safely. He claimed that “massive, global cyber-attacks” are unlikely to be launched due to the conflict.

Anonymous Wages a Cyber War Against Russia, Targets Oligarchs

Anonymous continues its attacks against Putin and Russia, recently, the latest attack is targeted against the Russian investment agency 'Marathon Group.' Anonymous keeps attacking Russian firms owned by oligarchs, last week, the group announced the hacking of Thozis Corp and in the most recent incident, the group claims responsibility behind the Marathon group hack. Marathon group is a Russian investment firm, the owner is oligarch Alexander Vinokuro, the EU sanctioned him recently. Vinokurov is the son-in-law of Russian Foreign Minister Lavrov. Anonymous breached the organization's systems and leaked 62,000 emails (a 52 GB archive) through DDoSecrets (Distributed Denial of Secrets). 

DDoSecrets is a non for profit whistleblower website launched in 2018. "JUST IN: #Anonymous has hacked & released 62,000 emails from the Marathon Group, a Russian investment firm owned by oligarch Alexander Vinokurov, currently under EU sanctions. Vinokurov is also the son-in-law of Russian Foreign Minister Lavrov" tweets @YourAnonTV. The group also takes responsibility for the hacking of Belarus government website associated with Volozhin Economy, a city in the Minsk region of Belarus. 

"Anonymous makes an intrusion into a website of the Government of Belarus dedicated to the Economy of Volozhin, a Belarusian city in the Minsk region" tweets @Anonymous_Link. The Anonymous group tweeted that due to the nature of the leak, DDoSecrets is willing to offer the data to journalists and researchers. "Hackers leaked 15GB of data stolen from the Russian Orthodox Church's charitable wing & released roughly 57,500 emails via #DDoSecrets. #DDoSecrets noted that due to the nature of the data, at this time it is only being offered to journalists & researchers," tweets @YourAnonTV What else has Anonymous done to Russia? 

In March, Anonymous declared to wage a "cyber war" against a Russia. Since then, Anonymous has claimed responsibility for launching various attacks on the Russian government, news websites and organizations, and leaked data of prominent firms like Roskomnadzor, a federal agency which censors Russian media. "Many CIS files were erased, hundreds of folders were renamed to "putin_stop_this_war" and email addresses and administrative credentials were exposed," said Jeremiah Fowler, cybersecurity company Security Discovery's Co-founder.

Ukraine War: Major Internet Provider Suffers Cyber-Attack

 

A cyber-attack was launched against a significant Ukrainian internet provider. Ukrtelecom is working to restore service after it believes it was the victim of an attack. The network was shut down to "safeguard the vital network infrastructure." 

Ukrtelecom JSC is Ukraine's monopolist telephone company, also active in Internet service providing and mobile markets. Yuriy Kurmaz, the CEO of the company stated in a statement: “In order to protect the critical network infrastructure and not interrupt services to the Armed Forces, other military bodies and users of critical infrastructure, we were forced to temporarily restrict internet access to most private users and business customers.” 

Netblocks, an international internet monitoring organisation, stated it was the company's biggest outage since the beginning of the Russian invasion last month, with connectivity down to 13% of what it was before President Vladimir Putin announced the war. 

They said on Twitter: “Update: Ukraine's national internet provider Ukrtelecom has confirmed a cyberattack on its core infrastructure. Real-time network data show an ongoing and intensifying nation-scale disruption to service, which is the most severe registered since the invasion by Russia.” 

According to the BBC, other people in Ukraine using various internet providers had no problems. In terms of geographical coverage, Ukrtelecom is the largest internet provider, although Kyivstar is the largest in terms of customer numbers. 

The United Nations has confirmed 1,179 civilian deaths and 1, 860 civilian injuries since the war began in late February, but the total is believed to be substantially higher. Furthermore, the attack has triggered a humanitarian crisis, with more than 10 million people forced to evacuate their homes, with 3.8 million of them seeking refuge in neighbouring nations.

FBI Witnesses Rising Russian Hacker Interest in US Energy Firms

 

Since the outbreak of Russia's war against Ukraine, the FBI has detected an uptick in Russian hackers' interest in energy firms, though it gives no evidence that a specific attack is planned. 

According to an FBI advisory received by The Associated Press on Tuesday, Russian hackers have assessed at least five energy businesses and at least 18 other companies in sectors such as military and financial services for vulnerabilities. None of the companies is identified in the advisory. 

Scanning a network for vulnerabilities or flaws is widespread, and it does not always mean that an assault is on the way, though it can be a sign of one. Nonetheless, the FBI's Friday warning highlights the Biden administration's increased cybersecurity concerns as a result of Russia's war in Ukraine. The White House said on Monday that there was "evolving intelligence" suggesting Russia was planning cyberattacks against critical infrastructure in the United States. 

At a White House press briefing, Anne Neuberger, the White House's deputy national security advisor for cyber and emerging technologies, expressed disappointment that some critical infrastructure firms have failed to repair known software vulnerabilities that Russian hackers may exploit. The FBI advisory lists 140 internet protocol, or IP addresses it claims have been linked to critical infrastructure scans in the United States since at least March 2021. 

According to the alert, scanning has grown since the beginning of the war last month, leading to a greater likelihood of future incursions. The FBI acknowledges that scanning activity is frequent, but the IP addresses have been linked to the active exploitation of a foreign victim, which resulted in the victim's systems being destroyed, according to the advisory.

This New Russian Cyclops Blink Botnet Targets ASUS Routers

 

Nearly a month after it was discovered that the malware used WatchGuard firewall appliances as a stepping stone to obtaining remote access to infiltrated networks, ASUS routers have been the target of a budding botnet known as Cyclops Blink. 

The botnet's primary objective is to develop an infrastructure for additional attacks on high-value targets, according to Trend Micro, given that none of the compromised hosts belongs to vital organisations or those that have an obvious value on economic, political, or military espionage. 

Cyclops Blink has been identified by intelligence services in the United Kingdom and the United States as a replacement framework for VPNFilter, a malware that has targeted network equipment, especially small office/home office (SOHO) routers and network-attached storage (NAS) devices. 

Sandworm (aka Voodoo Bear), a Russian state-sponsored actor has been linked to both VPNFilter and Cyclops Blink. It has also been tied to several high-profile cyberattacks, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games. 

The complex modular botnet, c language, affects a variety of ASUS router types, with the company admitting that it is working on a patch to handle any potential exploitation. –  
  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (end-of-life)
  • RT-AC66U (end-of-life), and
  • RT-AC56U (end-of-life)
Apart from employing OpenSSL to encrypt connections with its command-and-control (C2) servers, Cyclops Blink also includes specific modules that can read and write from the devices' flash memory, allowing it to persist and survive factory resets. A second reconnaissance module acts as a medium for exfiltrating data from the hacked device to the C2 server, while a file download component is responsible for retrieving arbitrary payloads through HTTPS. Although the exact form of initial access is unknown, Cyclops Blink has been affecting WatchGuard and Asus routers in the United States, India, Italy, Canada, and Russia since June 2019. 

A law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the United States are among the impacted hosts. Because of the infrequency with which IoT devices and routers are patched and the lack of security software, Trend Micro has warned that this might lead to the establishment of "eternal botnets."

The researchers stated, "Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots."

Anonymous Rises Again Amid Russia Ukraine War

 

Anonymous, the international hacktivists collective has surfaced again, this time, the group claims to have hacked RoskoAmnadzor (known as Federal Service for Supervision of Communications, Information Technology and Mass Media), a federal Russian agency. Anonymous has also claimed that it stole more than 360,000 files. You have mostly read about Russian banning VPNs, Telegram, or email services, however, there's a particular agency that bans these services. 

It's called Roskomnadzor, a major federal executive agency that is responsible for handling, managing, and censoring Russian media. "Anonymous also targeted and hacked misconfigured/exposed Cloud databases of Russian organizations. Tho shocking aspect of the attack was the fact that Anonymous and its affiliate hackers hacked 90% of Russian Cloud databases and left anti-war and pro Ukrainian messages," Hackread reports. 

Details about the attack 

The size of the leaked data is 820 GB, most of these database files in the database related to Roskomnadzor's data are linked to the Republic of Bashkortostan, Russia's largest provinces. The full dataset is now available on the official website of Distributed Denial of Secrets (aka DDoSecrets), a non for profit whistleblower organization. However, it should be noted that initially started as an Anonymous affiliate shared Roskomnadzor's data with DDoSecrets and the agency itself is not responsible for the attack. Besides this, the first announcement of the data leak came from a journalist and co-founder of DDoSecrets Emma Best in March 2022. 

YourAnonNews, a famous representative of the Anonymous collective also tweeted about the attack. Anonymous has openly sided with Ukraine over the ongoing war with Russia, the Russian government has restricted all important sources of information, especially news and media outlets, and Roskomnadzor was told to block Facebook, Twitter, and other online platforms. 

Hackread reports, "While Twitter launched its Tor onion service, authorities in Russia have also amended the Criminal Code to arrest anyone who posts information that contradicts the government’s stance. Nevertheless, since Roskomnadzor is a major government agency responsible for implementing government orders Anonymous believes the Russian public must have access to information about what is going on within Roskomnadzor."

Ukraine’s “IT Army” Struck with Info-stealing Malware

 

Pro-Ukrainian actors should be cautious of downloading DDoS tools to attack Russia, according to security experts, because they could be booby-trapped with data-stealing malware. 

Mykhailo Fedorov, Ukraine's vice prime minister, called for a volunteer "IT army" of hackers to DDoS Russian targets in late February. Cisco Talos, on the other hand, claims that opportunistic cyber-criminals are attempting to take advantage of the subsequent outpouring of support for the Eastern European country. It specifically detected Telegram posts offering DDoS tools that were actually malware-loaded. An organisation calling itself "disBalancer" offers one such tool, named "Liberator,". Although authentic, has been spoofed by others, according to Cisco. 

It explained, “The file offered on the Telegram page ended up being malware, specifically an infostealer designed to compromise unwitting users. The malware, in this case, dumps a variety of credentials and a large amount of cryptocurrency-related information, including wallets and metamask information, which is commonly associated with non-fungible tokens (NFTs).” 

Since none of the malicious spoofs is digitally signed, there is no way to distinguish them apart from the real DDoS tool, according to the vendor. Because the perpetrators of this harmful behaviour have been disseminating infostealers since November, Cisco concluded that it is not the work of fresh people, but rather those aiming to profit from the Ukraine conflict. 

However, Cisco warned that if Russia is subjected to a continuous DDoS attack, such techniques could proliferate. 

It concluded, “In this case, we found some cyber-criminals distributing an infostealer, but it could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state. We remind users to be wary of installing software whose origins are unknown, especially software that is being dropped into random chat rooms on the internet.” 

The discovery comes as the Russian government revealed this week that hackers targeted an externally loaded widget used to collect visitor statistics and caused temporary disruptions on numerous agency websites. 

Pro-Ukrainian hacktivists have also been seen searching for and deleting Russian cloud databases, according to security researchers.

New RURansom Wiper Targets Russia

 

The new RURansom malware, according to Trend Micro researchers, is not what it appears to be. Initially assumed to be a new strain of ransomware, the bug's developers appear to have reasons other than financial gain, as the name implies. 

So far, no active targets have been discovered, according to security experts. However, this could be as the wiper is targeting specific Russian companies. The malware's creators are open about their motivations for distributing it. A message is stored in the RURansom code variable that is responsible for the ransom note. 

"On February 24, President Vladimir Putin declared war on Ukraine. To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr President. There is no way to decrypt your files. No payment, only damage," reads the note in Russian. 

The malware, as per Trend Micro, was written in the .NET programming language. The worm transmits by copying itself under the name "Russia-Ukraine war update" in Russian. To have the most impact, the file replicates itself to all removable media and mapped network shares. The malware encrypts the files once it has been deployed. The encryption is applied to all files and even though .bak files are not encrypted, the malware deletes them. Each file is given a unique encryption key by the encryption algorithm. There's no way to decrypt the files because the keys aren't kept anywhere, therefore the malware is classified as a wiper rather than ransomware. Some variants of the malware, according to researchers, first check if the user's IP address is in Russia. 

"In cases where the software is launched outside of Russia, these versions will stop the execution, showing a conscious effort to target only Russian-based computers," the authors claimed in the report. 

Wiper Warfare: 

This isn't the first time a wiper malware has been used in this war. Just before Russian soldiers invaded Ukraine, security experts discovered a disk-wiping malware. The wiper contains driver files that gradually corrupt the infected computer's Master Boot Record (MBR), rendering it inoperable. The attackers allegedly utilized official EaseUS Partition Master drivers to acquire raw disc access and modify the disc to render the machine inoperable, according to Crowdstrike. 

Since the malware's certificate was issued to Hermetica Digital Ltd., a legitimate Cyprus-based company, the wiper was dubbed HermeticWiper. The new malware has been dubbed 'DriveSlayer' by other researchers. CISA issued a warning about malware that was targeting Ukrainian businesses, along with tips and strategies for preparing and responding to the attack. Later, security researchers fleeing Ukraine claimed that the wiper software was used to hinder refugees fleeing Ukraine's civil war, forcing officials to resort to pen and paper.

Experts Estimated the Probability of Disconnecting Russia From the Internet

 

On 5th March, a telegram signed by Deputy Head of the Ministry of Digital Andrei Chernenko was sent to federal executive authorities and subjects of the Russian Federation with a number of recommendations for the protection of information infrastructure of the country. It does not contain direct instructions on disconnecting Russian users from the global network, but a number of experts saw in it indirect preconditions for the isolation of Runet. 

According to the document, by March 11, state websites and services must switch to using DNS servers located in the Russian Federation; remove from HTML page templates all JavaScript code downloaded from foreign resources (banners, counters, and so on); in case of using foreign hosting, switch to Russian; move to the domain zone.ru; complicate the "password policy". 

The Ministry of Finance stated that the sending of telegrams is connected with cyberattacks on Russian websites from abroad. The proposed "set of the simplest recommendations on cyber hygiene" is designed to ensure the availability of web resources of the Russian Federation. "There are no plans to turn off the Internet from the inside," the ministry assured. 
 
Mikhail Klimarev, executive director of the Internet Protection Society, said that the items listed in the telegram are absolutely banal rules of information security, but they may also indicate the preparation of state agencies for any force majeure. He found it difficult to say why the document appeared only now but suggested that this was due to the ongoing cyberwar between Russia and other states. 

"Anonymous hackers, DDoS attacks, attacks on DNS servers - it's really serious, and the Russian authorities really need to worry about how it should work," Klimarev explained. "There's really nothing to worry about, but it's all terrifying. From the outside, it looks like preparation for a sovereign Runet," he added.  

The norm on DNS servers may also indicate preparation for possible shutdowns of the Runet. However, the main logic of the document works to reduce cyberattacks and switch to local root servers to provide access to sites in the Russian domain zone. 

According to experts, disconnecting Russia from the Internet is extremely dangerous for the state, as it carries unpredictable social and financial consequences. 


IsaacWiper, The Third Wiper Spotted Since the Beginning of The Russian Invasion

 

Recently, ESET cyber researchers have discovered a new data wiper, named as IsaacWiper, that is being used against an unnamed Ukrainian government network after Russia’s invasion of Ukraine. 

After the HermeticWiper attack, the new wiper came to light on 24th February within an organization that was not infected with the HermeticWiper malware (aka KillDisk.NCV), which contaminated hundreds of machines in the country on February 23. 

The cybersecurity firms ESET and Broadcom’s Symantec have discovered that the infections followed the DDoS attacks against various Ukrainian websites, including the Cabinet of Ministers, Ministry of Foreign Affairs, and Rada. 

“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in a Ukrainian governmental organization that was not affected by HermeticWiper,” Jean-Ian Boutin, ESET Head of Threat Research, said. In a new blog post, the company stated that the IsaacWiper attack likely “started shortly after the Russian military invasion and hit a Ukrainian governmental network.” 

The organization has revealed the technical details of the second attack on 1st March. It said that based on the observations it looks like the attacks were planned for months, though the organization did not name any particular entity or group for the attack. IsaacWiper and HermeticWiper have no code similarities and the former is less sophisticated than the latter. 

Once the network is infected, IsaacWiper starts by enumerating the physical drives and calls DeviceIoControl with the IOCTL IOCTL_STORAGE_GET_DEVICE_NUMBER to get their device numbers. 

Then IsaacWiper wipes the first 0x10000 bytes of each disk using the ISAAC pseudorandom generator. The ESET has published concluded analysis report,  saying that “at this point, we have no indication that other countries were targeted. However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entity.” 

Tesla CEO Musk Issues Warning Regarding the Use of Starlink Terminals in Ukraine

 


The CEO of the electric vehicle manufacturer Tesla (TSLA) SpaceX chief Elon Musk has issued a warning regarding the future of Starlink satellite broadband service in Ukraine, given the current scenario of uncertainty in the country post the Russian invasion. 
 
In his warning message on Twitter, Elon Musk wrote there is a high chance of the Starlink satellite internet service being targeted. It is worth noting that internet connectivity in Ukraine plummeted by 20% on 26 February, according to a report from Reuters. "Important warning: Starlink is the only non-Russian communications system still working in some parts of Ukraine, so probability of being targeted is high. Please use with caution," Musk tweeted.  
 
Elon Musk’s SpaceX activated the Starlink internet service in Ukraine after the country’s minister of digital transformation and first Vice Prime Minister, Mykhailo Fedorov, requested Musk to send Starlink stations because of the Russian invasion had crippled the country’s internet service considerably.  
 
The terminals resembling home satellite dishes arrived in the country in less than 48 hours. Moreover, the technology is apparently working as advertised, and the Ukrainian government has thanked the Tesla CEO for his assistance.   
 
However, multiple skeptics claimed that Musk was using the invasion of Ukraine as a publicity stunt. One Twitter user asked if the technology could really be under the threat of a Russian cyberattack. Musk clarified that it did already happen to all Viasat Ukraine user terminals on the first day of the Russian invasion of Ukraine.  
 
Starlink antennas that resemble home satellite television dishes, are not designed to be used while in motion, and it was not clear what Musk meant by the tweet, Tim Farrar, a consultant in satellite communications, stated. 
 
Musk's warning comes after John Scott-Railton, a senior researcher at the University of Toronto's Citizen Lab project, tweeted last week that Russian President Vladimir Putin controls the “air above” so that users’ uplink transmissions become viable targets for airstrikes.  
 
Additionally, security researcher Nicholas Weaver from the University of California at Berkeley stated that every Ukrainian citizen using a Starlink device should consider Starlink a “potential giant target.” That’s because if Russia uses a specialized plane aloft, it can easily get detected and target the location, putting the user at high risk.

Ukrainian Government Websites Shut Down due to Cyberattack

 

Ukrainian state authorities' websites have stopped working. At the moment, the website of the Ukrainian president, as well as resources on the gov.ua domain are inaccessible. 
According to the source, a large-scale cyberattack by the Russian hacker group RaHDit was the reason. A total of 755 websites of the Ukrainian authorities at the gov.ua domain were taken offline as a result of the attack. 

Hackers posted on government websites an appeal written on behalf of Russian soldiers to soldiers of the Armed Forces of Ukraine and residents of Ukraine. "The events of the last days will be the subject of long discussions of our contemporaries and descendants, but the truth is always the same! It is absolutely obvious that what happened is a clear example of what happens when irresponsible, greedy, and indifferent to the needs of their people come to power," they wrote. 

Another of the hacked websites published an appeal on behalf of Zelensky. In it, the President of Ukraine allegedly stated that he had agreed to sign a peace treaty with Russia. "This is not treason to Ukraine, to the Ukrainian spirit, it is exclusively for the benefit of the Ukrainian people," the banner said. 

The third message called on civilians to "refuse to support national radical formations formed under the guise of territorial defense." It was warned that any attempts to create armed gangs would be severely suppressed. In another announcement, Ukrainian soldiers were asked not to open fire on the Russian army and lay down their weapons: "Return fire will kill you. You are guaranteed life, polite treatment, and a bus home after the war." 

This information could not be confirmed. Currently, when entering government websites, it is reported that access to them cannot be obtained.

Earlier it became known that Russian hackers from the Killnet group hacked the website of the Anonymous group, which had previously declared a cyberwar against Russia. They urged Russians not to panic and not to trust fakes. 

On February 25, hackers from Anonymous announced their decision to declare a cyberwar against Russia due to the start of a special operation in the Donbas. The attackers attacked Russian Internet service providers and government websites. They also hacked the websites of major media outlets: TASS, Kommersant, Izvestia, Forbes, Mela, Fontanka. 

As a reminder, the special operation in Ukraine began in the morning of February 24. This was announced by Russian President Vladimir Putin.

Telegram has Experienced a Global Outage

 

On Thursday, March 3, the popular messenger Telegram experienced a failure. Users reported about the problems on the website of the service Downdetector, which tracks problems with access to Internet resources. 

According to Downdetector, the failure occurred at about 14 o'clock Moscow time. The majority of those who left complaints (56 percent) reported problems with the server connection. Users also noted problems with receiving messages (22 percent) and the operation of the application (23 percent). 

The failure affected residents of Russian cities, including Moscow and St. Petersburg. Users from Ukraine and Belarus also complained about the problems. 

The other day Pavel Durov published the following statement: "We do not want Telegram to be used as a tool to exacerbate conflicts and incite interethnic discord. In the event of an escalation of the situation, we will consider the possibility of partially or completely restricting the operation of Telegram channels in the countries involved during the conflict." 

According to him, recently Telegram has been increasingly used to spread fakes and unverified data related to the war, and the administration does not have the opportunity to check all publications for authenticity. However, soon Durov promised not to limit the work of the messenger in Ukraine. 

According to him, "a lot of users have asked us not to consider disabling Telegram channels for the period of the conflict, since we are the only source of information for them." But he urges users to "double-check and not take for granted the data that is published in Telegram channels during this difficult period." 

It is worth noting that in the week since the beginning of Russia's military operation in Ukraine, news channels in the Telegram messenger have added 19.5 million new subscribers. Another Russian social network, created at the time by Pavel Durov, is experiencing a new surge in popularity due to technical problems of other social networks. In VK, views in the news feed increased by 5% over the week, and the average daily number of video views increased by 15%. People are looking on platforms for up-to-date information from media that are subject to hacker attacks, and from eyewitnesses of events. 

Earlier, CySecurity News reported that three popular foreign social networks - Facebook, Instagram and Twitter began to receive complaints from residents of Russia in large numbers.