Tag Archive for: russian

Russian ‘Cyber Sabotage’ A Global Threat: Security Firm

/in


A Sandworm cyber hacker groups linked to Russian intelligence services is expected by computer security firm Mandiant to take aim at Western elections the Kremlin would like to sway


Indranil Mukherjee

Text size

Source…

Hackers steal database of Russian convicts to avenge Navalny’s death – media

/in


After Russian opposition leader Alexei Navalny died in prison, a group of anti-Kremlin hackers gained access to the computer network run by the Federal Penitentiary Service (FSVP of Russia) and claimed they had snatched data on hundreds of thousands of prisoners.

This was reported by CNN, Ukrinform reports.

According to hackers, they got hold of the agency’s database, which contains information on approximately 800,000 Russian prisoners, their families and contacts, including data on prisoners held in the colony where Navalny died on February 16.

Hackers posted a photo of the politician alongside his wife Yulia at a political rally on the penitentiary service’s website.

Read also: Canada expanding Russia sanctions over Navalny’s death

The hackers, who claim to be of various ethnic backgrounds, including Russian expatriates and Ukrainians, are sharing the data “in the hope that somebody can contact them and help understand what happened to Navalny,” a hacker claiming to be involved in the breach told CNN.

An analysis by CNN found several duplicate entries in the database, but it still contains information on hundreds of thousands of people. CNN was able to match several names seen in the snapshots shared by hackers with people currently in a Russian prison as per public records.

The group also gained access to the prison’s online store, where families of convicts can purchase food for them, and changed the prices of some goods to just one ruble. This is evidenced by screenshots and videos published by hackers.

Read also: Defense Ministry developing legislative definition for term ‘cyberwarfare’

The group also posted Navalny’s photo on the store’s website. They sent a warning to the administrators of the prison’s online store not to remove the image and went on to destroy one of the servers when the admins failed to heed to the warning.

The hackers “clearly had full blown access to get it all,” says Tom Hegel, who is principal threat researcher at U.S. cybersecurity company SentinelOne. “The amount of images captured and data provided is quite thorough.”

Read also: Ukraine’s counterintelligence exposes 1,700 attempts at…

Source…

Russian Hackers Use ‘WINELOADER’ Malware to Target German Political Parties

/in


Mar 23, 2024NewsroomCyber Espionage / Cyber Warfare

Malware

The WINELOADER backdoor used in recent cyber attacks targeting diplomatic entities with wine-tasting phishing lures has been attributed as the handiwork of a hacking group with links to Russia’s Foreign Intelligence Service (SVR), which was responsible for breaching SolarWinds and Microsoft.

The findings come from Mandiant, which said Midnight Blizzard (aka APT29, BlueBravo, or Cozy Bear) used the malware to target German political parties with phishing emails bearing a logo from the Christian Democratic Union (CDU) around February 26, 2024.

“This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions,” researchers Luke Jenkins and Dan Black said.

Cybersecurity

WINELOADER was first disclosed by Zscaler ThreatLabz last month as part of a cyber espionage campaign that’s believed to have been ongoing since at least July 2023. It attributed the activity to a cluster dubbed SPIKEDWINE.

Attack chains leverage phishing emails with German-language lure content that purports to be an invite for a dinner reception to trick recipients into clicking on a phony link and downloading a rogue HTML Application (HTA) file, a first-stage dropper called ROOTSAW (aka EnvyScout) that acts as a conduit to deliver WINELOADER from a remote server.

“The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website,” the researchers said. “ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload.”

WINELOADER, invoked via a technique called DLL side-loading using the legitimate sqldumper.exe, comes equipped with abilities to contact an actor-controlled server and fetch additional modules for execution on the compromised hosts.

It’s said to share similarities with known APT29 malware families like BURNTBATTER, MUSKYBEAT, and BEATDROP, suggesting the work of a common developer.

WINELOADER, per the Google Cloud subsidiary, has also been employed in an operation targeting diplomatic…

Source…

Russian Hackers May Have Targeted Ukrainian Telecoms with Upgraded ‘AcidPour’ Malware

/in


Mar 22, 2024NewsroomLinux / Cyber Warfare

Ukrainian Telecoms

The data wiping malware called AcidPour may have been deployed in attacks targeting four telecom providers in Ukraine, new findings from SentinelOne show.

The cybersecurity firm also confirmed connections between the malware and AcidRain, tying it to threat activity clusters associated with Russian military intelligence.

“AcidPour’s expanded capabilities would enable it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions,” security researchers Juan Andres Guerrero-Saade and Tom Hegel said.

AcidPour is a variant of AcidRain, a wiper that was used to render Viasat KA-SAT modems operable at the onset of the Russo-Ukrainian war in early 2022 and cripple Ukraine’s military communications.

Cybersecurity

It also builds upon the latter’s features, while targeting Linux systems running on x86 architecture. AcidRain, on the other hand, is compiled for MIPS architecture.

Where AcidRain was more generic, AcidPour incorporates logic to target embedded devices, Storage Area Networks (SANs), Network Attached Storage (NAS) appliances, and dedicated RAID arrays.

That said, both the strains overlap when it comes to the use of the reboot calls and the method employed for recursive directory wiping. Also identical is the IOCTLs-based device-wiping mechanism that also shares commonalities with another malware linked to Sandworm known as VPNFilter.

“One of the most interesting aspects of AcidPour is its coding style, reminiscent of the pragmatic CaddyWiper broadly utilized against Ukrainian targets alongside notable malware like Industroyer 2,” the researchers said.

The C-based malware comes with a self-delete function that overwrites itself on disk at the beginning of its execution, while also employing an alternate wiping approach depending on the device type.

Russian Hackers

AcidPour has been attributed to a hacking crew tracked as UAC-0165, which is associated with Sandworm and has a track record of striking Ukrainian critical infrastructure.

The Computer Emergency Response Team of Ukraine (CERT-UA), in October 2023, implicated the adversary to attacks targeting at least 11…

Source…