Security News

Shuckworm's attacks are part of an ongoing campaign by Russian state-sponsored threat groups that escalated their efforts in the run-up to the invasion of Ukraine in late February, and have continue their attacks since. The Security Service of Ukraine last year said the group was responsible for more than 5,000 attacks against public agencies or critical infrastructure and linked Shuckworm to the FSB, Russia's security service and successor to the KGB. The SSU said the group targeted more than 1,500 government computer systems over seven years.

Threat analysts report that the Russian state-sponsored threat group known as Gamaredon is launching attacks against targets in Ukraine using new variants of the custom Pteredo backdoor. According to a report by Symantec, who tracks the group as Shuckworm, the actor is currently using at least four variants of the "Pteredo" malware, also tracked as Pteranodon.

"The attackers attempted to take down several infrastructure components of their target, namely: Electrical substations, Windows-operated computing systems, Linux-operated server equipment, [and] active network equipment," The State Service of Special Communications and Information Protection of Ukraine said in a statement. Slovak cybersecurity firm ESET, which collaborated with CERT-UA to analyze the attack, said the attempted intrusion involved the use of ICS-capable malware and regular disk wipers, with the adversary unleashing an updated variant of the Industroyer malware, which was first deployed in a 2016 assault on Ukraine's power grid.

Russian software developers are reporting that their GitHub accounts are being suspended without warning if they work for or previously worked for companies under US sanctions. The GitHub accounts of Sberbank Technology, Sberbank AI Lab, and the Alfa Bank Laboratory had their code repositories initially disabled and are now removed from the platform.

Despite being less active, which may suggest that the ransomware business is closer to moonlighting, OldGremlin has demanded ransoms as high as $3 million from one of its victims. Security researchers at Singapore-based cybersecurity company Group-IB say that this time OldGremlin impersonated a senior accountant at a Russian financial organization warning that the recent sanctions imposed on Russia would suspend the operations of the Visa and Mastercard payment processing systems.

A Russian cyberweapon, similar to the one used in 2016, was detected and removed before it could be used. ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine We assess with high confidence that the APT group Sandworm is responsible for this new attack Posted on April 13, 2022 at 6:32 AM 0 Comments.

Chinese telecom giant Huawei has issued a mandatory month-long furlough to some of its Russia-based staff and suspended new orders, according to Russian media. The business mag also reported that Chinese nationals working for Huawei Russia are still going to the office.

The Cybersecurity and Infrastructure Security Agency has ordered federal civilian agencies and urged all US organizations on Monday to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall appliances. Sandworm, a Russian-sponsored hacking group, believed to be part of the GRU Russian military intelligence agency, also exploited this high severity privilege escalation flaw to build a new botnet dubbed Cyclops Blink out of compromised WatchGuard Small Office/Home Office network devices.

A hacking group used the Conti's leaked ransomware source code to create their own ransomware to use in cyberattacks against Russian organizations. While it is common to hear of ransomware attacks targeting companies and encrypting data, we rarely hear about Russian organizations getting attacked similarly.

The Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the U.S. government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation. The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control of the underlying botnet.