Security News

An advanced persistent threat that Russia found inside government systems was too crude to have been the work of a Western nation, says security researcher Juan Andrés Guerrero-Saade of Sentinel Labs, before suggesting the malware came from a Chinese entity. Russian telco and IT services provider Rostelecom and the nation's National Coordination Center for Computer Incidents, an arm of the Russian Federal Security Service, in May published a joint report that detailed their assessment of attacks on several Russian government entities detected in 2020.

The reason I contacted the FSB - one of the successor agencies to the Russian KGB - ironically enough had to do with security concerns raised by an infamous Russian hacker about the FSB's own preferred method of being contacted. "Think well before contacting the FSB for any questions or dealing with them, and if you nevertheless decide to do this, it is better to use a virtual machine," Horohorin wrote.

The Russia-linked threat group known as APT28 has been observed using a new backdoor in a series of attacks targeting military and government institutions, researchers with threat intelligence company Cluster25 reveal. For initial access, the threat actor is known to use tactics such as watering hole attacks, social engineering, zero-day vulnerabilities, and stolen credentials, followed by the deployment of tools and malware that allow it to achieve persistence and gain access to information of interest.

Security researchers have discovered a new piece of malware called SkinnyBoy that was used in spear-phishing campaigns attributed to Russian-speaking hacking group APT28. The threat actor, also known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm, used SkinnyBoy in attacks targeting military and government institutions earlier this year.

The White House has confirmed today that JBS, the world's largest beef producer, was hit by a ransomware attack over the weekend coordinated by a group likely from Russia. JBS only hinted that a ransomware group caused the incident on Monday, stating that "The company's backup servers were not affected, and it is actively working with an Incident Response firm to restore its systems as soon as possible."

The White House says it believes U.S. government agencies largely fended off the latest cyberespionage onslaught blamed on Russian intelligence operatives, saying the spear-phishing campaign should not further damage relations with Moscow ahead of next month's planned presidential summit. The revelation of a new spy campaign so close to the June 16 summit between President Joe Biden and Russian counterpart Vladimir Putin adds to the urgency of White House efforts to confront the Kremlin over aggressive cyber activity that criminal indictments and diplomatic sanctions have done little to deter.

Microsoft states that a Russian hacking group used four new malware families in recent phishing attacks impersonating the United States Agency for International Development. In a second blog post released Friday night, Microsoft provides details on four new malware families used by Nobelium in these recent attacks.

The Microsoft Threat Intelligence Center has discovered that the Russian-backed hackers behind the SolarWinds supply-chain attack are now coordinating an ongoing phishing campaign targeting government agencies worldwide. "While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries."

Nobelium, the Russia-aligned gang identified as the perpetrators of the supply chain attack on SolarWinds' Orion software, has struck again, Microsoft vice president Tom Burt in a blogpost Thursday. Burt's post says the attacks saw Nobelium gain access to accounts on the email marketing service "Constant Contact" operated by The United States Agency for International Development.

Russian-language dark web marketplace Hydra has emerged as a hotspot for illicit activities, pulling in a whopping $1.37 billion worth of cryptocurrencies in 2020, up from $9.4 million in 2016, marking a staggering 624% year-over-year jump over a three-year period from 2018 to 2020. Active since 2015, Hydra opened as a competitor to the now-defunct Russian Anonymous Marketplace, primarily facilitating narcotics trade, before becoming a bazaar for all things criminal, including offering BTC cash-out services and peddling stolen credit cards, SIM cards, documents, IDs, and counterfeit money, with the operators profiting as the intermediary for every transaction conducted on the platform.