Tag Archive for: operator

Russian hackers send emails with malware, taking advantage of national mobile operator Kyivstar’s outage


Russian hackers are taking advantage of the outage at Kyivstar, one of Ukraine’s national mobile operators, to send out emails containing malware to Ukrainians using archive files named “Amount owed by subscriber”, “Request”, “Documents”, etc., the State Service of Special Communications has warned.

Source: State Service of Special Communications and Information Protection of Ukraine (SSSCIP) and the Government Computer Emergency Response Team (CERT-UA)

Quote from SSSCIP: “Hackers persist in exploiting issues that are bothering thousands of Ukrainians to spread malware. This time, experts from CERT-UA, the Governmental Computer Emergency Response Team of Ukraine, have uncovered a massive email campaign with the subject line ‘Amount owed under your Kyivstar contract’ and an attachment named ‘Amount owed by subscriber.zip’.

Ukrainians have received emails regarding ‘Amount owed under your Kyivstar contract’, which contained attachments in the form of an archive named ‘Amount owed by subscriber.zip’ with attached password-protected RAR archives.

Moreover, CERT-UA has detected the spreading of emails with the subject heading ‘Security Service of Ukraine (SSU) request” with an attachment named ‘Documents.zip’. It includes a password-protected RAR archive ‘Request.rar’ followed by an executable file, ‘Request.exe’. As in the previous case, opening the archive and running the file leads to exposure to a RemcosRAT remote access programme.”

Details: The mobile operator Kyivstar experienced a large-scale outage on the morning of 12 December.

The CERT-UA team detected a massive email distribution with the subject line “Amount owed under your Kyivstar contract” and the attachment “Amount owed by subscriber.zip” on 21 December.

The ZIP archive contains a two-part RAR-archive “Amount owed by subscriber.rar”, containing a password-protected archive bearing the same name. The latter includes a document with the macro “Customer debt.doc”.

Once activated, the macro code will download the file “GB.exe” to the computer and run it using the SMB protocol via the file explorer (explorer.exe).

On its part, this file is an SFX archive containing a BATCH script to download the executable file “wsuscr.exe” from…

Source…

Ukraine’s Largest Phone Operator Hacked in “Act of War”


Kyivstar, Ukraine’s leading mobile network operator, is experiencing a significant shutdown allegedly due to a cyber-attack.

The company, owned by Amsterdam-based Veon, warned on December 12 that it had suffered a “powerful” cyber-attack that caused a technical failure, rendering internet access and mobile communications temporarily unavailable for its customers.

Although Kyivstar did not make directly attribute the attack initially, its director general later told Agence France Presse (AFP) that the firm considered the attack to be linked with the war against Russia.

In a Facebook post, Kyivstar said it was investigating the issue with law enforcement agencies, had reported it to Ukrainian state services, and was “working to eliminate the consequences and restore communications as soon as possible.”

“The most important thing is that, as of now, the personal data of subscribers has not been compromised. Our team will definitely compensate those subscribers who had no connection or could not use our services,” the firm added on social media.

“Yes, our enemies are cunning. But we are ready to face any challenges, overcome them and continue working for Ukrainians.”

Ukraine’s government confirmed to AFP that it started investigating the incident and that Russia was “suspected” of being behind it.

Both Cloudflare, a content delivery network (CDN) provider, and Netblocks, an internet monitoring firm, noticed disruptions on the Kyivstar internet network on December 12.

Additionally, Ukrainian payment system Monobank reported being targeted by a distributed denial-of-service (DDoS) attack just a few hours after Kyivstar’s social media post.

At the time of writing, there is no evidence that these two events are related.

Source…

Operator of Sellafield nuclear facility denies hacking claims


Sellafield Ltd, the Nuclear Decomissioning Authority (NDA)-backed organisation responsible for winding up the controversial Sellafield facility in Cumbria – the scene of the UK’s worst ever nuclear accident in 1957 – has denied allegations that its IT networks have been comprehensively compromised by both Chinese and Russian threat actors, deploying so-called sleeper malware that lay undetected on its systems for years to conduct espionage.

Earlier this week, the Guardian newspaper published the results of a lengthy investigation in which it accused the organisation’s senior management of having “consistently covered up” the scale of the intrusions, which it is claimed date back to 2015.

The report alleged that the extent of the supposed breach only came to light when workers at other sites found they were able to access Sellafield’s systems remotely and escalated to the Office for Nuclear Regulation (ONR). It said an insider had described Sellafield’s server network as “fundamentally insecure”, and highlighted other concerns including outside contractors using USB memory sticks at the site and an incident in which user credentials were inadvertently filmed and broadcast by a BBC camera crew.

A spokesperson for Sellafield Ltd said: “We have no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state-actors in the way described by the Guardian. Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system.

“We take cyber security extremely seriously at Sellafield. All of our systems and servers have multiple layers of protection…Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these,” they added.

However, this is not the first time that evidence of cyber intrusions affecting Sellafield have come to light. In 2021, for example, the Information Commissioner’s Office (ICO) ruled against the organisation over data breach offences, although these related to an employment tribunal and not critical information on the facility, while Private Eye has…

Source…

Bulletproof hosting service operator behind Gozi malware … – SC Media



Bulletproof hosting service operator behind Gozi malware …  SC Media

Source…